Adding timezone to FortiGate logs

#1

Hello,
I try to configure pipeline that it adds timezone to FortiGate logs which looks like below:

date=2019-05-15 time=10:56:59 devname="…" devid="…" logid="…" type=“traffic” subtype=“local” level=“notice” vd=“root” eventtime=1557910619 srcip=… srcname="…" srcport=137 srcintf=“lan” srcintfrole=“lan” dstip=… dstport=137 dstintf=unknown-0 dstintfrole=“undefined” sessionid=14191988 proto=17 action=“deny” policyid=0 policytype=“local-in-policy” service=“NetBIOS” dstcountry=“Reserved” srccountry=“Reserved” trandisp=“noop” app=“netbios forward” duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” devtype=“Windows PC” devcategory=“Windows Device” osname=“Windows” osversion=“7” unauthuser="…" unauthusersource=“kerberos” mastersrcmac="…" srcmac="…" srcserver=0

I searched forum and finally tried rule that looks like below:

rule “fortigate timestamp”
when
true
then
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_timestamp = parse_date(value:to_string(build_message_1), pattern:“yyyy-MM-dd HH:mm:sss”, timezone:“Europe/Warsaw”);
set_field(“timestamp”, new_timestamp);
end

But when I simulate it I got error:

gl2_processing_error
For rule ‘fortigate timestamp’: In call to function ‘parse_date’ at 7:20 an exception was thrown: Invalid format: " "

Any ideas what should I change?

Regards
Daniel

(Jan Doberstein) #2

did you before use a key-value parser to create the fields from message?