[Filebeat][Fortinet] Remove pre populated event.timezone#20273
[Filebeat][Fortinet] Remove pre populated event.timezone#20273marc-gr merged 3 commits intoelastic:masterfrom
Conversation
|
Pinging @elastic/siem (Team:SIEM) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
cd22e5a to
76b774a
Compare
andrewkroh
left a comment
There was a problem hiding this comment.
I think event.timezone is being populated by the module with the beats add_locale processor. So if the field needs to be removed then we should remove this processor so that the field is never set with the wrong value.
Good catch, will change it, thanks! |
76b774a to
cae41b1
Compare
|
So if I understand this correctly, Fortinet logs may or may not have a tz. If the tz is there, ingested dates will be relative to that. If it isn't, with this change, we'll assume dates are GMT. Before this change, dates were interpreted as local to the system running Filebeat. I don't think this is a good or bad idea, just that we might find customers with different needs. At some point we need to review how the modules behave regarding timezones and possibly add a common setting ( |
Exactly that
I agree, there is this new ticket to add this possibility to fortinet #20300, maybe could be changed to extend this option more generally. |
* Remove pre populated event.timezone * Add changelog entry * Remove processor instead of the field (cherry picked from commit b1b7860)
* Remove pre populated event.timezone * Add changelog entry * Remove processor instead of the field (cherry picked from commit b1b7860)
…ne-2.0 * upstream/master: [Elastic Agent] Add skeleton for client/server for agent control protocol (elastic#20163) Auditbeat: Allow multiple instances by grouping kprobes by PID (elastic#20325) [Filebeat][Fortinet] Remove pre populated event.timezone (elastic#20273)
…allation
* upstream/master:
Check expand_event_list_from_field when json in map[string]interface{} format (elastic#20370)
[docs] Remove deprecated security roles (elastic#20162)
Modify doc in app_insights metricset (elastic#20185)
[Elastic Agent] Add skeleton for client/server for agent control protocol (elastic#20163)
Auditbeat: Allow multiple instances by grouping kprobes by PID (elastic#20325)
[Filebeat][Fortinet] Remove pre populated event.timezone (elastic#20273)
Add an explicit system test for processes on unix systems (elastic#20320)
* Remove pre populated event.timezone * Add changelog entry * Remove processor instead of the field
…) (elastic#20347) * Remove pre populated event.timezone * Add changelog entry * Remove processor instead of the field (cherry picked from commit 61b0730)
What does this PR do?
Removes the pre populated
event.timezonefield.Why is it important?
Some fortinet logs do not have a
tzfield to set asevent.timezone, for this reason, when this happens, theevent.timezonewas incorrectly set to the system default instead of UTC or none (which represents UTC).With this change
event.timezonewill only be set when the log has a timezone itself.Checklist
- [ ] My code follows the style guidelines of this project- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding changes to the documentation- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
cd x-pack/filebeat TESTING_FILEBEAT_MODULES=fortinet mage pythonIntegTest