From bd3c1aa8fd3559e9ed2423a02ea3d21480315ad1 Mon Sep 17 00:00:00 2001
From: Luca Belluccini <luca.belluccini@elastic.co>
Date: Fri, 6 Sep 2019 17:06:51 +0200
Subject: [PATCH] Fixes parsing of @timestamp for Elasticsearch Audit JSON logs

Fixes parsing of @timestamp for Elasticsearch Audit JSON logs.
E.g. of logs:
```
{"@timestamp":"2019-09-05T14:02:37,921", "node.id":"UwRu4mReRtyJO1-FWAPvIQ", "event.type":"transport", "event.action":"authentication_success", "user.name":"_system", "origin.type":"local_node", "origin.address":"127.0.0.1:9300", "realm":"__fallback", "request.id":"474ZciqtQteOhjLO3OdZIw", "action":"indices:monitor/stats", "request.name":"IndicesStatsRequest"}
```
---
 .../elasticsearch/audit/ingest/pipeline-json.json  | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json
index f0cf48a19ff..0089cce66f9 100644
--- a/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json
+++ b/filebeat/module/elasticsearch/audit/ingest/pipeline-json.json
@@ -196,10 +196,22 @@
                 "field": "elasticsearch.audit.@timestamp",
                 "target_field": "@timestamp",
                 "formats": [
-                    "ISO8601"
+                    "yyyy-MM-dd'T'HH:mm:ss,SSS"
                 ],
                 "ignore_failure": true
             }
+        },
+        {
+            "date": {
+                "if": "ctx.event.timezone != null",
+                "field": "elasticsearch.audit.@timestamp",
+                "target_field": "@timestamp",
+                "formats": [
+                    "yyyy-MM-dd'T'HH:mm:ss,SSS"
+                ],
+                "timezone": "{{ event.timezone }}",
+                "on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
+            }
         }
     ],
     "on_failure": [