[Fortinet] Add support for Fortigate 7.6 events and misc improvements#18218
[Fortinet] Add support for Fortigate 7.6 events and misc improvements#18218dot-mike wants to merge 12 commits intoelastic:mainfrom
Conversation
ReviewersBuildkite won't run for external contributors automatically; you need to add a comment:
NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details. |
andrewkroh
added
Integration:fortinet_fortigate
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
dot-mike
changed the title
andrewkroh
left a comment
andrewkroh
left a comment
There was a problem hiding this comment.
The change also needs a changelog entry and version bump in manifest.yml. You can use elastic-package changelog add to accomplish this.
dot-mike
force-pushed
the
fortinet-fortigate-7.6
branch
from
96cd779 to
bf18593
Compare
|
@andrewkroh done. Thanks! |
|
/test |
|
/test |
|
The CI failure is because the readme needs to be regenerated with the newly added field, so you need to run
to update it. |
|
Done, thanks @andrewkroh ! I learned something new |
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
| "preserve_original_event" | ||
| ] | ||
| }, | ||
| { |
There was a problem hiding this comment.
🟡 Medium pipeline/test-fortinet-7-6.log-expected.json:798
The last test event (starting at line 798) is missing the @timestamp field while all other 12 events in this file include it. This occurs because the input log entry uses RFC5424 syslog format (<13>1 2026-04-07T12:02:23+02:00 ...) but the Fortigate-specific date= and time= fields are malformed as time=12 - - - 02:22 without a date= field. The test passes because the expected output matches the actual malformed parsing result, but this silently tests corrupted-data handling instead of validating proper 7.6 syslog format parsing. Missing @timestamp causes time-based indexing failures in Elasticsearch.
🤖 Copy this AI Prompt to have your agent fix this:
In file packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-6.log-expected.json around line 798:
The last test event (starting at line 798) is missing the `@timestamp` field while all other 12 events in this file include it. This occurs because the input log entry uses RFC5424 syslog format (`<13>1 2026-04-07T12:02:23+02:00 ...`) but the Fortigate-specific `date=` and `time=` fields are malformed as `time=12 - - - 02:22` without a `date=` field. The test passes because the expected output matches the actual malformed parsing result, but this silently tests corrupted-data handling instead of validating proper 7.6 syslog format parsing. Missing `@timestamp` causes time-based indexing failures in Elasticsearch.
|
I have one request @andrewkroh I would like to set event.action from logid.yml mapping so we get proper action, either success or failed: I know this may break peoples integration when |
|
That would be a breaking change to modify the existing I would not do it in this pull request, but if we wanted to make it consistent, then you can probably do that as a separate breaking-change PR and bump the major version. We should do a bit of research to check the impact, like check the elastic/detection-roles to see if there's anything in there that's already depending on the value. Similarly, check if we have any visualizations or dashboards in the package itself that are dependent upon specific |
|
/test |
andrewkroh
added
the
documentation
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
History
|
I thought so. Thanks for the clarification. Will revise in the future. For now I will apply this to my |
3 participants
Proposed commit message
Adds definitions for 7.6 event fields
Adds 7.6 events test coverage
Adds
event.codemapping toevent.actionImprove
event.outcome&event.typefor failure & error events.Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots