Fortigate changed eventtime from seconds to nanoseconds

I have a pipeline for our fortigates, which worked perfectly.
Now we have 2 new firewalls on FortiOS 6.4, and it changes the year to 2038.
Doing some research, it seems that FortiOS, from 6.2 and higher, uses nanoseconds in stead of seconds.
https://docs.fortinet.com/document/fortigate/6.2.0/technical-tip-event-time-display-in-the-logs/21/fd47787

Description
This article describes event time log stamp display in the event logs.
Solution
In 6.0.x ver and below versions event time view was in seconds.
In 6.2.x versions the display has been changed to Nano seconds.

What i use:

rule "Epoch Convert"
when
has_field("devname") && has_field("date") && has_field("time") && has_field("eventtime")
then
let epoch = parse_date("1970-01-01 00:00:00.000Z", "yyyy-MM-dd' 'HH:mm:ss.SSSZ");
let ts_seconds = seconds(to_long($message.eventtime));
set_field("epoch_timestamp", epoch + ts_seconds);
set_field("timestamp", epoch + ts_seconds);
End

But like i said, that doesnt work anymore.
So how do i go from nanoseconds to regular seconsd?

I think, it’s very simple and straightforward, simply divide unix timestamp in nanoseconds by 1000000 and you have miliseconds. Then use it in function parse_unix_milliseconds()

rule "Epoch Convert"
when
  has_field("devname") && has_field("date") && has_field("time") && has_field("eventtime")
then
  let ts_millis = to_long($message.eventtime) / 1000000;
  let new_date = parse_unix_milliseconds(ts_millis);
  set_field("epoch_timestamp", new_date);
  set_field("timestamp", new_date);
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.