Skip to content

Commit

Permalink
Use event.timezone in all date processors
Browse files Browse the repository at this point in the history
  • Loading branch information
@marc-gr
marc-gr committed Jun 30, 2021
1 parent 26bd10e commit 414c2f9
Show file tree
Hide file tree
Showing 4 changed files with 95 additions and 65 deletions.
12 changes: 6 additions & 6 deletions x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,27 +76,27 @@ processors:
target_field: event.start
formats:
- UNIX_MS
timezone: "{{fortinet.firewall.tz}}"
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() > 11"
timezone: "{{event.timezone}}"
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.event?.timezone != null && (ctx.fortinet?.firewall?.eventtime).length() > 11"
- date:
field: fortinet.firewall.eventtime
target_field: event.start
formats:
- UNIX
timezone: "{{fortinet.firewall.tz}}"
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11"
timezone: "{{event.timezone}}"
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.event?.timezone != null && (ctx.fortinet?.firewall?.eventtime).length() <= 11"
- date:
field: fortinet.firewall.eventtime
target_field: event.start
formats:
- UNIX_MS
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() > 11"
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.event?.timezone == null && (ctx.fortinet?.firewall?.eventtime).length() > 11"
- date:
field: fortinet.firewall.eventtime
target_field: event.start
formats:
- UNIX
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.fortinet?.firewall?.tz == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11"
if: "ctx?.fortinet?.firewall?.eventtime != null && ctx.event?.timezone == null && (ctx.fortinet?.firewall?.eventtime).length() <= 11"
- script:
lang: painless
source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000"
Expand Down
28 changes: 17 additions & 11 deletions x-pack/filebeat/module/fortinet/firewall/test/event.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -635,7 +635,7 @@
]
},
{
"@timestamp": "2020-11-02T08:11:38.000Z",
"@timestamp": "2020-11-02T08:11:38.000-02:00",
"destination.as.number": 15169,
"destination.as.organization.name": "Google LLC",
"destination.geo.continent_name": "North America",
Expand All @@ -654,6 +654,7 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.timezone": "-02:00",
"event.type": [
"connection"
],
Expand Down Expand Up @@ -696,15 +697,16 @@
]
},
{
"@timestamp": "2019-05-13T11:20:54.000Z",
"@timestamp": "2019-05-13T11:20:54.000-02:00",
"destination.ip": "172.16.200.2",
"event.action": "login",
"event.code": "0100032001",
"event.dataset": "fortinet.firewall",
"event.kind": "event",
"event.module": "fortinet",
"event.reason": "none",
"event.start": "2019-05-13T18:20:54.587Z",
"event.start": "2019-05-13T16:20:54.587-02:00",
"event.timezone": "-02:00",
"fileset.name": "firewall",
"fortinet.firewall.action": "login",
"fortinet.firewall.method": "ssh",
Expand Down Expand Up @@ -740,7 +742,7 @@
]
},
{
"@timestamp": "2019-05-13T14:21:42.000Z",
"@timestamp": "2019-05-13T14:21:42.000-02:00",
"destination.as.number": 7065,
"destination.as.organization.name": "Sonoma Interconnect",
"destination.geo.city_name": "North Highlands",
Expand All @@ -762,7 +764,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-05-13T21:21:42.722Z",
"event.start": "2019-05-13T19:21:42.722-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection"
],
Expand Down Expand Up @@ -813,7 +816,7 @@
]
},
{
"@timestamp": "2019-05-13T15:55:56.000Z",
"@timestamp": "2019-05-13T15:55:56.000-02:00",
"destination.ip": "172.16.200.55",
"event.action": "authentication",
"event.category": [
Expand All @@ -823,7 +826,8 @@
"event.dataset": "fortinet.firewall",
"event.kind": "event",
"event.module": "fortinet",
"event.start": "2019-05-13T22:55:56.913Z",
"event.start": "2019-05-13T20:55:56.913-02:00",
"event.timezone": "-02:00",
"fileset.name": "firewall",
"fortinet.firewall.action": "authentication",
"fortinet.firewall.authproto": "TELNET(10.1.100.11)",
Expand Down Expand Up @@ -859,13 +863,14 @@
]
},
{
"@timestamp": "2019-05-14T08:32:13.000Z",
"@timestamp": "2019-05-14T08:32:13.000-02:00",
"event.action": "add",
"event.code": "0107045057",
"event.dataset": "fortinet.firewall",
"event.kind": "event",
"event.module": "fortinet",
"event.start": "2019-05-14T15:32:13.900Z",
"event.start": "2019-05-14T13:32:13.900-02:00",
"event.timezone": "-02:00",
"fileset.name": "firewall",
"fortinet.firewall.action": "add",
"fortinet.firewall.connection_type": "sslvpn",
Expand Down Expand Up @@ -898,13 +903,14 @@
]
},
{
"@timestamp": "2019-05-14T08:19:38.000Z",
"@timestamp": "2019-05-14T08:19:38.000-02:00",
"event.action": "close",
"event.code": "0107045058",
"event.dataset": "fortinet.firewall",
"event.kind": "event",
"event.module": "fortinet",
"event.start": "2019-05-14T15:19:39.037Z",
"event.start": "2019-05-14T13:19:39.037-02:00",
"event.timezone": "-02:00",
"fileset.name": "firewall",
"fortinet.firewall.action": "close",
"fortinet.firewall.connection_type": "sslvpn",
Expand Down
35 changes: 21 additions & 14 deletions x-pack/filebeat/module/fortinet/firewall/test/traffic.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[
{
"@timestamp": "2020-04-23T01:16:08.000Z",
"@timestamp": "2020-04-23T01:16:08.000-02:00",
"destination.as.number": 15169,
"destination.as.organization.name": "Google LLC",
"destination.bytes": 0,
Expand All @@ -21,7 +21,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2020-06-24T01:16:08.000Z",
"event.start": "2020-06-23T23:16:08.000-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection",
"denied",
Expand Down Expand Up @@ -581,7 +582,7 @@
]
},
{
"@timestamp": "2019-03-31T06:42:54.000Z",
"@timestamp": "2019-03-31T06:42:54.000-02:00",
"destination.bytes": 0,
"destination.ip": "230.1.1.2",
"destination.packets": 0,
Expand All @@ -596,7 +597,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-03-31T13:42:52.000Z",
"event.start": "2019-03-31T11:42:52.000-02:00",
"event.timezone": "-02:00",
"event.type": [
"allowed",
"connection",
Expand Down Expand Up @@ -644,7 +646,7 @@
]
},
{
"@timestamp": "2019-05-10T14:18:54.000Z",
"@timestamp": "2019-05-10T14:18:54.000-02:00",
"destination.as.number": 20940,
"destination.as.organization.name": "Akamai International B.V.",
"destination.bytes": 0,
Expand All @@ -666,7 +668,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-05-10T21:18:54.021Z",
"event.start": "2019-05-10T19:18:54.021-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection",
"end"
Expand Down Expand Up @@ -732,7 +735,7 @@
]
},
{
"@timestamp": "2019-05-13T11:45:04.000Z",
"@timestamp": "2019-05-13T11:45:04.000-02:00",
"destination.bytes": 2286,
"destination.ip": "172.16.200.55",
"destination.packets": 6,
Expand All @@ -747,7 +750,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-05-13T18:45:04.815Z",
"event.start": "2019-05-13T16:45:04.815-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection",
"denied",
Expand Down Expand Up @@ -819,7 +823,7 @@
]
},
{
"@timestamp": "2019-05-13T16:29:50.000Z",
"@timestamp": "2019-05-13T16:29:50.000-02:00",
"destination.as.number": 42831,
"destination.as.organization.name": "UK Dedicated Servers Limited",
"destination.bytes": 3138,
Expand All @@ -844,7 +848,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-05-13T23:29:50.452Z",
"event.start": "2019-05-13T21:29:50.452-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection",
"denied",
Expand Down Expand Up @@ -906,7 +911,7 @@
]
},
{
"@timestamp": "2019-05-15T17:58:10.000Z",
"@timestamp": "2019-05-15T17:58:10.000-02:00",
"destination.bytes": 9112,
"destination.ip": "172.16.200.55",
"destination.packets": 8,
Expand All @@ -921,7 +926,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-05-16T00:58:09.000Z",
"event.start": "2019-05-15T22:58:09.000-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection",
"denied",
Expand Down Expand Up @@ -984,7 +990,7 @@
]
},
{
"@timestamp": "2019-05-15T17:45:34.000Z",
"@timestamp": "2019-05-15T17:45:34.000-02:00",
"destination.as.number": 16509,
"destination.as.organization.name": "Amazon.com, Inc.",
"destination.bytes": 5266,
Expand All @@ -1009,7 +1015,8 @@
"event.kind": "event",
"event.module": "fortinet",
"event.outcome": "success",
"event.start": "2019-05-16T00:45:34.000Z",
"event.start": "2019-05-15T22:45:34.000-02:00",
"event.timezone": "-02:00",
"event.type": [
"connection",
"denied",
Expand Down
Loading

0 comments on commit 414c2f9

Please sign in to comment.