Describe the enhancement:
The Filebeat CEF module is missing the option to set a timezone offset and the module is not taking into account the event.timezone in the ingest pipeline.
Describe a specific use case for the enhancement or feature:
Set the correct timezone via the event.timezone field, eg. like:
or
- add_fields:
target: "event"
fields:
timezone: "Europe/Amsterdam"
The @timestamp should align with this.
Log:
<143>Aug 04 2021 11:31:32 192.168.200.1 CEF:0|Aruba Networks|ClearPass|6.8.7.120583|2002|RADIUS Accounting|1|cat=Session Logs dvc=192.168.200.1 duser=ffe1a1c54fff src=192.168.100.1 spt=23 cs3=Ethernet cs3Label=Port Type dmac=3C-FF-FF-C5-FF-1B dst=192.168.100.1 cs1=0005000FF7DF cs1Label=Session Id start=12976 out=2399580 in=1660906 cn2=1671542075 cn2Label=Output Octets cn1=1132738271 cn1Label=Input Octets ArubaClearpassRADIUSAcctServiceName=Framed-User rt=Aug 04 2021 11:31:15 ArubaClearpassRADIUSAcctAuthentic=RADIUS
event.ingested: Aug 4, 2021 @ 11:31:45.324
@timestamp: Aug 4, 2021 @ 13:31:15.000 (wrong)
In this case event.ingested is taken from the CEF field rt, that is translated to the field cef.extensions.deviceReceiptTime
The source is sending in UTC+2 timezone.
Describe the enhancement:
The Filebeat CEF module is missing the option to set a timezone offset and the module is not taking into account the
event.timezonein the ingest pipeline.Describe a specific use case for the enhancement or feature:
Set the correct timezone via the
event.timezonefield, eg. like:or
The
@timestampshould align with this.Log:
event.ingested: Aug 4, 2021 @ 11:31:45.324@timestamp: Aug 4, 2021 @ 13:31:15.000 (wrong)In this case event.ingested is taken from the CEF field
rt, that is translated to the fieldcef.extensions.deviceReceiptTimeThe source is sending in UTC+2 timezone.