[fortinet_fortigate] add option to add timezone for events (#15822)

* add option to add timezone for events

* add PR link to changelog

Author: vinit-chauhan

packages/fortinet_fortigate/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.35.0"
+  changes:
+    - description: Add timezone mapping for Fortinet FortiGate logs.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15822
 - version: "1.34.1"
   changes:
     - description: Generate processor tags and normalize error handler.

packages/fortinet_fortigate/data_stream/log/agent/stream/log.yml.hbs

@@ -59,3 +59,14 @@ processors:
         - {{network}}
         {{/each}}
 {{/if}}
+
+fields_under_root: true
+fields:
+  _conf:
+{{#if tz_offset}}
+    tz_offset: "{{tz_offset}}"
+{{/if}}
+{{#if tz_map}}
+    tz_map:
+      {{tz_map}}
+{{/if}}

packages/fortinet_fortigate/data_stream/log/agent/stream/tcp.yml.hbs

@@ -60,3 +60,14 @@ processors:
 {{#if tcp_options}}
 {{tcp_options}}
 {{/if}}
+
+fields_under_root: true
+fields:
+  _conf:
+{{#if tz_offset}}
+    tz_offset: "{{tz_offset}}"
+{{/if}}
+{{#if tz_map}}
+    tz_map:
+      {{tz_map}}
+{{/if}}

packages/fortinet_fortigate/data_stream/log/agent/stream/udp.yml.hbs

@@ -57,3 +57,14 @@ processors:
         - {{network}}
         {{/each}}
 {{/if}}
+
+fields_under_root: true
+fields:
+  _conf:
+{{#if tz_offset}}
+    tz_offset: "{{tz_offset}}"
+{{/if}}
+{{#if tz_map}}
+    tz_map:
+      {{tz_map}}
+{{/if}}

packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -151,6 +151,26 @@ processors:
       replacement: $1$2
       ignore_missing: true
       ignore_failure: true
+
+  - set:
+      field: event.timezone
+      copy_from: _conf.tz_offset
+      if: ctx.event?.timezone == null && ctx._conf?.tz_offset != null && ctx._conf.tz_offset != 'local'
+      ignore_empty_value: true
+
+  - script:
+      lang: painless
+      tag: script_tz_mapping
+      if: ctx.event?.timezone == null && ctx._conf?.tz_map != null &&ctx.fortinet?.firewall?.timezone != null && ctx.fortinet?.firewall?.timezone != ''
+      source: |
+        def tz = ctx.fortinet?.firewall?.timezone;
+        for (def item : ctx._conf.tz_map) {
+          if (item.tz_match_value == tz) {
+            ctx.event.timezone = item.tz_replace_value;
+            break;
+          }
+        }
+
   - set:
       tag: set__temp_time_2240d59c
       field: _temp.time
@@ -777,6 +797,7 @@ processors:
       tag: remove_c87f67c3
       field:
         - _temp
+        - _conf
         - fortinet.firewall.tz
         - fortinet.firewall.date
         - fortinet.firewall.devid

packages/fortinet_fortigate/data_stream/log/manifest.yml

@@ -107,6 +107,23 @@ streams:
           #max_message_size: 50KiB
           #max_connections: 1
         description: Specify custom configuration options for the TCP input.
+      - name: tz_offset
+        type: text
+        title: Timezone
+        multi: false
+        required: false
+        show_user: false
+        description: IANA timezone or timezone offset (e.g. `+0200`) to use when interpreting syslog timestamps without a timezone.
+      - name: tz_map
+        type: yaml
+        title: Timezone Map
+        multi: false
+        required: false
+        show_user: false
+        description: A combination of timezones as they appear in the Fortinet FortiGate logs, in combination with a proper IANA Timezone format (for example, Australia/Sydney or +10:00).
+        default: |
+          #- tz_match_value: (GMT+3:00)Kuwait,Riyadh
+          #  tz_replace_value: Asia/Kuwait
     template_path: tcp.yml.hbs
     title: Fortinet firewall logs (tcp)
     description: Collect Fortinet firewall logs using tcp input
@@ -187,6 +204,23 @@ streams:
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
+      - name: tz_offset
+        type: text
+        title: Timezone
+        multi: false
+        required: false
+        show_user: false
+        description: IANA timezone or timezone offset (e.g. `+0200`) to use when interpreting syslog timestamps without a timezone.
+      - name: tz_map
+        type: yaml
+        title: Timezone Map
+        multi: false
+        required: false
+        show_user: false
+        description: A combination of timezones as they appear in the Fortinet FortiGate logs, in combination with a proper IANA Timezone format (for example, Australia/Sydney or +10:00).
+        default: |
+          #- tz_match_value: (GMT+3:00)Kuwait,Riyadh
+          #  tz_replace_value: Asia/Kuwait
     template_path: udp.yml.hbs
     title: Fortinet firewall logs (udp)
     description: Collect Fortinet firewall logs using udp input
@@ -249,6 +283,23 @@ streams:
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
+      - name: tz_offset
+        type: text
+        title: Timezone
+        multi: false
+        required: false
+        show_user: false
+        description: IANA timezone or timezone offset (e.g. `+0200`) to use when interpreting syslog timestamps without a timezone.
+      - name: tz_map
+        type: yaml
+        title: Timezone Map
+        multi: false
+        required: false
+        show_user: false
+        description: A combination of timezones as they appear in the Fortinet FortiGate logs, in combination with a proper IANA Timezone format (for example, Australia/Sydney or +10:00).
+        default: |
+          #- tz_match_value: (GMT+3:00)Kuwait,Riyadh
+          #  tz_replace_value: Asia/Kuwait
     template_path: log.yml.hbs
     title: Fortinet FortiGate logs (log)
     description: Collect Fortinet FortiGate logs using log input

packages/fortinet_fortigate/manifest.yml

@@ -1,6 +1,6 @@
 name: fortinet_fortigate
 title: Fortinet FortiGate Firewall Logs
-version: "1.34.1"
+version: "1.35.0"
 description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent.
 type: integration
 format_version: "3.0.3"