Timestamp is still +2 and timestamp in the logmessage still has Z behind it.
Using this now:
rule “fortigate timestamp”
when
has_field(“devname”) && has_field(“date”) && has_field(“time”)
then
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_timestamp = parse_date(value:to_string(build_message_1), pattern:“yyyy-MM-dd HH:mm:sss”, timezone:“Europ/Amstedam”);
set_field(“timestamp”, new_timestamp);
end
In which logfiles should i look?