[fortinet_fortigate] add hostname parsing for syslog (#11678)

- The current parser is not processing the hostname field of syslog messages, so in some cases, the observer.name field remains empty. Added support for parsing out the hostname field of syslog messages and placing it into the observer.name field.

---------

Co-authored-by: Taylor Swanson <[email protected]>
Co-authored-by: Andrew Kroh <[email protected]>

packages/fortinet_fortigate/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.27.0"
+  changes:
+    - description: Add hostname parsing for syslog.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11678
 - version: "1.26.0"
   changes:
     - description: Swap destination and source for vpn event type.

packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json

@@ -5606,6 +5606,7 @@
                         "name": "az-b"
                     }
                 },
+                "name": "use2-dmz-fw02",
                 "product": "Fortigate",
                 "type": "firewall",
                 "vendor": "Fortinet"

packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml

@@ -13,7 +13,8 @@ processors:
       field: event.original
       ecs_compatibility: v1
       patterns:
-        - "^(?:%{SYSLOG5424PRI} *)?%{GREEDYDATA:syslog5424_sd}$"
+        - "^(?:%{SYSLOG5424PRI}%{NONNEGINT} )+(?:%{TIMESTAMP_ISO8601}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(-|%{SYSLOG5424PRINTASCII}) +(-|%{SYSLOG5424PRINTASCII}) +(-|%{SYSLOG5424PRINTASCII}) +(-|%{SYSLOG5424PRINTASCII}) +(?:%{GREEDYDATA:syslog5424_msg}|-|)"
+        - "^(?:%{SYSLOG5424PRI} *)?%{GREEDYDATA:syslog5424_msg}$"
   - script:
       lang: painless
       source: |
@@ -26,14 +27,14 @@ processors:
           ctx.log.syslog['facility'] = facility;
         }
   - gsub:
-      field: syslog5424_sd
+      field: syslog5424_msg
       pattern: "[\u0000-\u001F\u007F]"
       replacement: ""
   - script:
       lang: painless
-      if: ctx.syslog5424_sd != null
+      if: ctx.syslog5424_msg != null
       description: |
-        Splits syslog5424_sd KV list by space and then each by "=" taking into account quoted values.
+        Splits syslog5424_msg KV list by space and then each by "=" taking into account quoted values.
       source: |
         def splitUnquoted(String input, String sep) {
           def tokens = [];
@@ -60,7 +61,7 @@ processors:
           return tokens;
         }
 
-        def arr = splitUnquoted(ctx.syslog5424_sd, " ");
+        def arr = splitUnquoted(ctx.syslog5424_msg, " ");
 
         Map map = new HashMap();
         Pattern pattern = /^\"|\"$/;
@@ -176,6 +177,16 @@ processors:
       field: fortinet.firewall.devname
       target_field: observer.name
       ignore_missing: true
+  - rename:
+      field: syslog5424_host
+      target_field: observer.name
+      if: ctx.observer?.name == null && ctx.syslog5424_host !== null
+      ignore_missing: true
+  - remove:
+      field:
+        - syslog5424_host
+        - syslog5424_msg
+      ignore_missing: true
   - script:
       lang: painless
       source: "ctx.event.duration = Long.parseLong(ctx.fortinet.firewall.duration) * 1000000000"
@@ -655,7 +666,6 @@ processors:
   - remove:
       field:
         - _temp
-        - syslog5424_sd
         - fortinet.firewall.tz
         - fortinet.firewall.date
         - fortinet.firewall.devid

packages/fortinet_fortigate/manifest.yml

@@ -1,6 +1,6 @@
 name: fortinet_fortigate
 title: Fortinet FortiGate Firewall Logs
-version: "1.26.0"
+version: "1.27.0"
 description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent.
 type: integration
 format_version: "3.0.3"