Hello @stephenb ,
I tested your recommandation and the output is OK in testing phase.
Output:
{
"docs": [
{
"doc": {
"_index": ".ds-fortinet_fortigate.log_forward-default",
"_version": "-3",
"_id": "bx3Uf5gBGjSND2_adBI3",
"_source": {
"agent": {
"name": "<AGENT_NAME>",
"id": "<AGENT_ID>",
"type": "filebeat",
"ephemeral_id": "24a8a5ad-f1ea-4b4a-bde9-ab67c3862d32",
"version": "8.16.6"
},
...
},
"event": {
"code": "0000000013",
"timezone": "+0200",
"kind": "event",
"start": "2025-08-06T16:37:28.894+02:00",
"type": [
"connection",
"end",
"denied"
],
"duration": 0,
"agent_id_status": "verified",
"ingested": "2025-08-06T14:41:26Z",
"action": "deny",
"category": [
"network"
],
"dataset": "fortinet_fortigate.log_forward",
"outcome": "success"
}
},
"_ingest": {
"timestamp": "2025-08-06T16:04:25.65708688Z"
}
}
}
]
}
Yet, after applying this, no no datastream is created.
I'm thinking about these problems that you guys talk about : New index not created by ingestion pipeline - #19 by leandrojmp
and it could be a permission problem : Could it be that ?