[sophos][xg] Failed to parse field [sophos.xg.eventtime] exceptions

[ebeahan]

Several sophos.xg tests are failing in the daily integrations tests against stack 8.x.

CI failure (ephemeral link): https://fleet-ci.elastic.co/blue/organizations/jenkins/Ingest-manager%2Fintegrations/detail/main/1746/pipeline/990

sophos.xg fails with document_parsing_exception errors in the elastic-agent logs. One example:

{\"type\":\"document_parsing_exception\",\"reason\":\"[1:834] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'dtMWsYgB0AQUtVphHLCi'. Preview of field's value: '2017-03-16 12:56:01 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:56:01 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!

Full details

--- Test results for package: sophos - START ---
FAILURE DETAILS:
sophos/xg (elastic-agent logs):
[0] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 29, 55, 119136889, time.Local), Meta:{\"input_id\":\"tcp-sophos-78c8bbd0-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"tcp-sophos.xg-78c8bbd0-0957-11ee-97fc-d52ad6184748\"}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"c26e29e9-41d3-4d9d-89ea-18548f8dcb0b\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:55134\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:56:01 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Connected\\\" eventtime=\\\"2017-03-16 12:56:01 IST\\\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\\\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:834] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'dtMWsYgB0AQUtVphHLCi'. Preview of field's value: '2017-03-16 12:56:01 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:56:01 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[1] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 29, 55, 119164514, time.Local), Meta:{\"input_id\":\"tcp-sophos-78c8bbd0-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"tcp-sophos.xg-78c8bbd0-0957-11ee-97fc-d52ad6184748\"}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"c26e29e9-41d3-4d9d-89ea-18548f8dcb0b\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:55134\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:53:27 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Disconnected\\\" eventtime=\\\"2017-03-16 12:53:27 IST\\\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\\\"A350196C47072B0/Gaurav Patel is now disconnected\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:826] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'd9MWsYgB0AQUtVphHLCi'. Preview of field's value: '2017-03-16 12:53:27 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:53:27 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[2] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 29, 55, 119227055, time.Local), Meta:{\"input_id\":\"tcp-sophos-78c8bbd0-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"tcp-sophos.xg-78c8bbd0-0957-11ee-97fc-d52ad6184748\"}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"c26e29e9-41d3-4d9d-89ea-18548f8dcb0b\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:55134\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:46:26 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Interim\\\" eventtime=\\\"2017-03-16 12:46:26 IST\\\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\\\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:817] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'eNMWsYgB0AQUtVphHLCi'. Preview of field's value: '2017-03-16 12:46:26 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:46:26 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[3] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 30, 32, 335670669, time.Local), Meta:{\"input_id\":\"udp-sophos-8ee2d860-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"udp-sophos.xg-8ee2d860-0957-11ee-97fc-d52ad6184748\",\"truncated\":false}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"a69d02aa-9d65-41c0-8dd1-29cc19028789\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"udp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:45268\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:56:01 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Connected\\\" eventtime=\\\"2017-03-16 12:56:01 IST\\\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\\\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:834] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'iNMWsYgB0AQUtVphrfQo'. Preview of field's value: '2017-03-16 12:56:01 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:56:01 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[4] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 30, 32, 335720378, time.Local), Meta:{\"input_id\":\"udp-sophos-8ee2d860-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"udp-sophos.xg-8ee2d860-0957-11ee-97fc-d52ad6184748\",\"truncated\":false}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"a69d02aa-9d65-41c0-8dd1-29cc19028789\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"udp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:45268\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:53:27 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Disconnected\\\" eventtime=\\\"2017-03-16 12:53:27 IST\\\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\\\"A350196C47072B0/Gaurav Patel is now disconnected\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:826] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'idMWsYgB0AQUtVphrfQo'. Preview of field's value: '2017-03-16 12:53:27 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:53:27 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[5] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 30, 32, 335830878, time.Local), Meta:{\"input_id\":\"udp-sophos-8ee2d860-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"udp-sophos.xg-8ee2d860-0957-11ee-97fc-d52ad6184748\",\"truncated\":false}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"a69d02aa-9d65-41c0-8dd1-29cc19028789\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"udp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:45268\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:46:26 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Interim\\\" eventtime=\\\"2017-03-16 12:46:26 IST\\\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\\\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:817] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'itMWsYgB0AQUtVphrfQo'. Preview of field's value: '2017-03-16 12:46:26 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:46:26 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[6] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 31, 8, 389105131, time.Local), Meta:{\"input_id\":\"tcp-sophos-a47156c0-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"tcp-sophos.xg-a47156c0-0957-11ee-97fc-d52ad6184748\"}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"5158d3eb-da6c-4773-97b3-1500f76f713b\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:50956\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:56:01 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618014 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Connected\\\" eventtime=\\\"2017-03-16 12:56:01 IST\\\" duration=164000 branch_name=Gaurav Patel recv_bytes=0 sent_bytes=0 message=\\\"A350196C47072B0/Gaurav Patel is now re-connected after 164000 ms\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:834] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'B9QXsYgB0AQUtVphOTrf'. Preview of field's value: '2017-03-16 12:56:01 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:56:01 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[7] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 31, 8, 389183047, time.Local), Meta:{\"input_id\":\"tcp-sophos-a47156c0-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"tcp-sophos.xg-a47156c0-0957-11ee-97fc-d52ad6184748\"}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"5158d3eb-da6c-4773-97b3-1500f76f713b\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:50956\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:53:27 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618015 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Disconnected\\\" eventtime=\\\"2017-03-16 12:53:27 IST\\\" duration=0 branch_name=Gaurav Patel recv_bytes=31488 sent_bytes=22368 message=\\\"A350196C47072B0/Gaurav Patel is now disconnected\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:826] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'CNQXsYgB0AQUtVphOTrf'. Preview of field's value: '2017-03-16 12:53:27 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:53:27 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"
[8] found error "Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2023, time.June, 12, 19, 31, 8, 389267422, time.Local), Meta:{\"input_id\":\"tcp-sophos-a47156c0-0957-11ee-97fc-d52ad6184748\",\"raw_index\":\"logs-sophos.xg-ep\",\"stream_id\":\"tcp-sophos.xg-a47156c0-0957-11ee-97fc-d52ad6184748\"}, Fields:{\"_conf\":{\"default\":\"firewall.localgroup.local\",\"mappings\":[{\"hostname\":\"XG230\",\"serial_number\":\"1234567890123456\"},{\"hostname\":\"SG430\",\"serial_number\":\"S4000806149EE49\"}]},\"agent\":{\"ephemeral_id\":\"5158d3eb-da6c-4773-97b3-1500f76f713b\",\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"name\":\"docker-fleet-agent\",\"type\":\"filebeat\",\"version\":\"8.8.1\"},\"data_stream\":{\"dataset\":\"sophos.xg\",\"namespace\":\"ep\",\"type\":\"logs\"},\"ecs\":{\"version\":\"8.0.0\"},\"elastic_agent\":{\"id\":\"c7ee7244-e414-48fa-9627-063694d9aa51\",\"snapshot\":false,\"version\":\"8.8.1\"},\"event\":{\"dataset\":\"sophos.xg\",\"timezone\":\"+00:00\"},\"input\":{\"type\":\"tcp\"},\"log\":{\"source\":{\"address\":\"172.29.0.4:50956\"}},\"message\":\"\\u003c30\\u003edevice=\\\"SFW\\\" date=2017-03-16 time=12:46:26 timezone=\\\"IST\\\" device_name=\\\"XG125w\\\" device_id=S1601E1F9FCB7EE log_id=066811618016 log_type=\\\"Event\\\" log_component=\\\"RED\\\" log_subtype=\\\"System\\\" priority=Information red_id=A350196C47072B0 status=\\\"Interim\\\" eventtime=\\\"2017-03-16 12:46:26 IST\\\" duration=0 branch_name=NY recv_bytes=0 sent_bytes=0 message=\\\"A350196C47072B0/NY transfered bytes TX: 0 RX: 0\\\"\",\"tags\":[\"sophos-xg\",\"forwarded\"]}, Private:interface {}(nil), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:mapstr.M(nil)}} (status=400): {\"type\":\"document_parsing_exception\",\"reason\":\"[1:817] failed to parse field [sophos.xg.eventtime] of type [date] in document with id 'CdQXsYgB0AQUtVphOTrf'. Preview of field's value: '2017-03-16 12:46:26 IST'\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"failed to parse date field [2017-03-16 12:46:26 IST] with format [strict_date_optional_time||epoch_millis]\",\"caused_by\":{\"type\":\"date_time_parse_exception\",\"reason\":\"Failed to parse with all enclosed parsers\"}}}, dropping event!"

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)