So the firewall are not sending JSON via UDP - just plain formatted strings. I also see that you got some help about your firewalls Fortigate here and Sidewinder here. Some of this advice I have retained and some I have done a little differently...
IMPORTANT!!!! Read my follow up notes post before diving in and trying the config below.
input {
generator {
lines => [
'<189>date=2018-04-28 time=12:21:13 devname=FIREWALL1 devid=xxxxxxxx logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=x.x.x.x srcport=137 srcintf="VL_MGMT" dstip=x.x.x.x dstport=137 dstintf="port9" poluuid=xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx sessionid=1095303991 proto=17 action=deny policyid=498 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="HTTP Servcice" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel=high',
'<45>Apr 28 12:21:14 FIREWALL2 auditd: date="2018-04-28 04:21:14 +0000",fac=f_kernel_ipfilter,area=a_general_area,type=t_nettraffic,pri=p_major,hostname=FIREWALL2.domain.local,event="session end",application=TCP-443,netsessid=b26845ae3f6b9,src_geo=XX,srcip=x.x.x.x,srcport=35478,srczone=VL_EXT,protocol=6,dstip=x.x.x.x,dstport=443,dstzone=VL_1,bytes_written_to_client=324,bytes_written_to_server=848,rule_name="TESTING RULE",cache_hit=0,start_time="2018-04-28 04:21:13 +0000"'
]
count => 1
}
}
filter {
dissect {
mapping => {
message => "<%{priority}>%{rest}"
}
}
if [rest] =~ /^\w{3}\s/ {
dissect {
mapping => {
# using skip fields for month day and time because in kv 'date' has the UTC based timestamp
rest => "%{?month} %{?day} %{?time} %{devname} %{process_name}: %{rest}"
}
add_tag => ["format2"]
}
}
if "format2" in [tags] {
kv {
source => "[rest]"
value_split => "="
field_split => ","
remove_field => [ "[message]", "[rest]" ]
}
mutate {
rename => { "protocol" => "proto"}
# !!!!! rename or remove any other fields here (not date though).
}
date {
match => [ "date", "yyyy-MM-dd HH:mm:ss Z" ]
}
} else {
# handle first format here
kv {
source => "[rest]"
value_split => "="
field_split => " "
remove_field => [ "[message]", "[rest]" ]
}
mutate {
# combine the date and time and add the timezone
replace => { "date" => "%{date}T%{time}+0800" }
# !!!!! rename or remove any other fields here (not date though).
# add_field, remove_field etc always runs after any other mutate operations
remove_field => [ "[time]" ]
}
date {
match => [ "date", "ISO8601" ]
}
}
}
output {
stdout {
codec => rubydebug
}
}
This gives...
{
"vd" => "root",
"sequence" => 0,
"sentbyte" => "0",
"subtype" => "forward",
"srcintf" => "VL_MGMT",
"policyid" => "498",
"date" => "2018-04-28T12:21:13+0800",
"level" => "notice",
"srccountry" => "Reserved",
"crscore" => "30",
"devid" => "xxxxxxxx",
"crlevel" => "high",
"@timestamp" => 2018-04-28T04:21:13.000Z,
"dstcountry" => "Reserved",
"dstport" => "137",
"@version" => "1",
"sentpkt" => "0",
"sessionid" => "1095303991",
"appcat" => "unscanned",
"devname" => "FIREWALL1",
"srcip" => "x.x.x.x",
"dstip" => "x.x.x.x",
"poluuid" => "xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
"trandisp" => "noop",
"service" => "HTTP Servcice",
"rcvdbyte" => "0",
"dstintf" => "port9",
"type" => "traffic",
"action" => "deny",
"priority" => "189",
"host" => "Elastics-MacBook-Pro.local",
"logid" => "0000000013",
"srcport" => "137",
"craction" => "131072",
"duration" => "0",
"proto" => "17"
}
{
"sequence" => 0,
"start_time" => "2018-04-28 04:21:13 +0000",
"date" => "2018-04-28 04:21:14 +0000",
"src_geo" => "XX",
"@timestamp" => 2018-04-28T04:21:14.000Z,
"hostname" => "FIREWALL2.domain.local",
"dstport" => "443",
"@version" => "1",
"area" => "a_general_area",
"rule_name" => "TESTING RULE",
"tags" => [
[0] "format2"
],
"devname" => "FIREWALL2",
"process_name" => "auditd",
"cache_hit" => "0",
"srcip" => "x.x.x.x",
"pri" => "p_major",
"netsessid" => "b26845ae3f6b9",
"dstip" => "x.x.x.x",
"bytes_written_to_server" => "848",
"dstzone" => "VL_1",
"type" => "t_nettraffic",
"priority" => "45",
"srczone" => "VL_EXT",
"host" => "Elastics-MacBook-Pro.local",
"srcport" => "35478",
"bytes_written_to_client" => "324",
"proto" => "6",
"event" => "session end",
"application" => "TCP-443",
"fac" => "f_kernel_ipfilter"
}