Hello,
This appears to be a known issue similar to Filebeat Zeek and date parsing with SMTP broken, but the issue still persists in filebeat-7.15.1-x86_64.rpm module. As the SMTP Date fields format can vary depending on the implementations, defining the format of zeek.smtp.date field can potentially cause lots of errors. So I think eliminating the formats definition in the pipeline.yml file in the filebeat packages in the repository would be preferrable to many users.
Sample Date formats:
Wed, 10 Nov 2021 22:01:02 -0600 (CST)
Thu, 11 Nov 2021 13:00:01 +0900 (JST)
11 Nov 2021 13:00:20 +0900
Fri, 15 Oct 2021 06:11:22 GMT
filebeat package and snippet from zeek's smtp module:
filebeat-7.15.1-x86_64.rpm
/usr/share/filebeat/module/zeek/smtp/ingest/pipeline.yml
- date:
field: zeek.smtp.date
target_field: zeek.smtp.date
formats:
- EEE, d MMM yyyy HH:mm:ss Z
if: ctx.zeek.smtp.date != null
Relevant pipeline:
GET /_ingest/pipeline/filebeat-7.15.1-zeek-smtp-pipeline
{
"filebeat-7.15.1-zeek-smtp-pipeline" : {
: snip
{
"date" : {
"field" : "zeek.smtp.date",
"target_field" : "zeek.smtp.date",
"formats" : [
"EEE, d MMM yyyy HH:mm:ss Z"
],
"if" : "ctx.zeek.smtp.date != null"
}
},
Any guidance would be greatly appreciated.