[Filebeat][Fortinet] Remove pre populated event.timezone

[marc-gr]

What does this PR do?

Removes the pre populated event.timezone field.

Why is it important?

Some fortinet logs do not have a tz field to set as event.timezone, for this reason, when this happens, the event.timezone was incorrectly set to the system default instead of UTC or none (which represents UTC).

With this change event.timezone will only be set when the log has a timezone itself.

Checklist

- [ ] My code follows the style guidelines of this project
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have made corresponding change to the default configuration files

• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

cd x-pack/filebeat
TESTING_FILEBEAT_MODULES=fortinet mage pythonIntegTest

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[elasticmachine]

💚 Build Succeeded

Expand to view the summary

Build stats

• Build Cause: [Pull request #20273 updated]

• Start Time: 2020-07-29T11:17:01.239+0000

• Duration: 50 min 56 sec

Test stats 🧪

Test	Results
Failed	0
Passed	2434
Skipped	385
Total	2819

[andrewkroh]

I think event.timezone is being populated by the module with the beats add_locale processor. So if the field needs to be removed then we should remove this processor so that the field is never set with the wrong value.

[marc-gr]

I think event.timezone is being populated by the module with the beats add_locale processor. So if the field needs to be removed then we should remove this processor so that the field is never set with the wrong value.

Good catch, will change it, thanks!

[adriansr]

So if I understand this correctly, Fortinet logs may or may not have a tz. If the tz is there, ingested dates will be relative to that. If it isn't, with this change, we'll assume dates are GMT. Before this change, dates were interpreted as local to the system running Filebeat.

I don't think this is a good or bad idea, just that we might find customers with different needs.

At some point we need to review how the modules behave regarding timezones and possibly add a common setting (var.tz or similar) to control how dates are interpreted when tz is not known.

[marc-gr]

So if I understand this correctly, Fortinet logs may or may not have a tz. If the tz is there, ingested dates will be relative to that. If it isn't, with this change, we'll assume dates are GMT. Before this change, dates were interpreted as local to the system running Filebeat.

Exactly that

I don't think this is a good or bad idea, just that we might find customers with different needs.

At some point we need to review how the modules behave regarding timezones and possibly add a common setting (var.tz or similar) to control how dates are interpreted when tz is not known.

I agree, there is this new ticket to add this possibility to fortinet #20300, maybe could be changed to extend this option more generally.