[Fortinet Fortigate] Fixed parsing of login events to capture username in message (elastic#15954)

Corrected the capturing of user name in the messages of login events where an error may occur when a symbol is present in the name such as "-"

Previously, the pipeline was expecting a single word without any symbols.

Author: robester0403

packages/fortinet_fortigate/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.36.1"
+  changes:
+    - description: Properly parse user names for login events messages.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15954
 - version: "1.36.0"
   changes:
     - description: Preserve event.original on pipeline error.

packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log

@@ -74,3 +74,4 @@ date=2021-06-17 time=16:55:26 eventtime=1623974126411127210 tz="-0700" logid="17
 <165>1 2022-11-14T06:54:03Z use2-dmz-fw02 - - - - eventtime=1668408842876531561 tz="-0800" logid="0317013312" type="utm" subtype="webfilter" eventtype="ftgd_allow" level="notice" vd="root" policyid=25 poluuid="ccb269e0-5735-51e9-a218-a397dd08b7eb" policytype="policy" sessionid=130637139 srcip=10.80.28.193 srcport=64152 srccountry="Reserved" srcintf="az-b" srcintfrole="undefined" srcuuid="8666f70e-cfb9-51eb-4991-9012417d69da" dstip=89.160.20.128 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="ae28f494-5735-51e9-f247-d1d2ce663f4b" proto=6 service="HTTPS" hostname="[server.example.com](https://server.example.com/)" profile="default-ipsoft" action="passthrough" reqtype="direct" url="https://server.example.com/" sentbyte=517 rcvdbyte=0 direction="outgoing" msg="URL belongs to an allowed category in policy" method="domain" cat=52 catdesc="Information Technology"
 date=2019-05-13 time=11:20:54 logid="0100032001" type="event" subtype="system" level="information" vd="vdom1" eventtime=1557771654587081441 logdesc="Admin login successful" sn="1557771654" user="admin" ui="jsconsole" method="jsconsole" srcip=172.16.200.254 dstip=172.16.200.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole"
 date=2021-06-17 time=16:55:26 eventtime=1623974126411127210 tz="-0700" logid="0101037100" type="event" subtype="vpn" level="notice" vd="vdom" logdesc="IPsec tunnel statistics" msg="IPsec tunnel statistics" action="tunnel-stats" remip=192.168.10.1 locip=192.168.10.1 remport=4500 locport=4500 outintf="internet" srccountry="Reserved" cookies="" user="2" group="N/A" useralt="N/A" xauthuser="user1" xauthgroup="group1" assignip=10.10.10.1 vpntunnel="VPNTUNNEL" tunnelip=10.10.10.1 tunnelid=123456789 tunneltype="ipsec" duration=919 sentbyte=1641284 rcvdbyte=33245 nextstat=600 fctuid="52C66FE08F724FE0B116DAD5062C9600" advpnsc=0
+<190>date=2025-11-11 time=09:03:29 devname="MYDEV" devid="MYDEVID" eventtime=1746018712493245679 tz="+0200" logid="1059021234" type="event" subtype="vpn" level="notice" vd="vdom" logdesc="IPsec tunnel statistics" sn="1557771654" user="ABC-EFG-Admin04" ui="jsconsole" method="jsconsole" srcip=172.16.200.254 dstip=172.16.200.2 action="login" status="success" reason="none" profile="super_admin" msg="Administrator ABC-EFG-Admin04 logged in successfully from jsconsole"

packages/fortinet_fortigate/data_stream/log/_dev/test/pipeline/test-fortinet-7-4.log-expected.json

@@ -5791,6 +5791,96 @@
             "tags": [
                 "preserve_original_event"
             ]
+        },
+        {
+            "@timestamp": "2025-11-11T09:03:29.000+02:00",
+            "destination": {
+                "ip": "172.16.200.254"
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "login",
+                "category": [
+                    "network",
+                    "authentication"
+                ],
+                "code": "1059021234",
+                "kind": "event",
+                "original": "<190>date=2025-11-11 time=09:03:29 devname=\"MYDEV\" devid=\"MYDEVID\" eventtime=1746018712493245679 tz=\"+0200\" logid=\"1059021234\" type=\"event\" subtype=\"vpn\" level=\"notice\" vd=\"vdom\" logdesc=\"IPsec tunnel statistics\" sn=\"1557771654\" user=\"ABC-EFG-Admin04\" ui=\"jsconsole\" method=\"jsconsole\" srcip=172.16.200.254 dstip=172.16.200.2 action=\"login\" status=\"success\" reason=\"none\" profile=\"super_admin\" msg=\"Administrator ABC-EFG-Admin04 logged in successfully from jsconsole\"",
+                "outcome": "success",
+                "reason": "none",
+                "start": "2025-04-30T15:11:52.493+02:00",
+                "timezone": "+0200",
+                "type": [
+                    "connection"
+                ]
+            },
+            "fortinet": {
+                "firewall": {
+                    "action": "login",
+                    "method": "jsconsole",
+                    "profile": "super_admin",
+                    "sn": "1557771654",
+                    "subtype": "vpn",
+                    "type": "event",
+                    "vd": "vdom"
+                }
+            },
+            "log": {
+                "level": "notice",
+                "syslog": {
+                    "facility": {
+                        "code": 23
+                    },
+                    "priority": 190,
+                    "severity": {
+                        "code": 6
+                    }
+                }
+            },
+            "message": "Administrator ABC-EFG-Admin04 logged in successfully from jsconsole",
+            "network": {
+                "direction": "internal"
+            },
+            "observer": {
+                "name": "MYDEV",
+                "product": "Fortigate",
+                "serial_number": "MYDEVID",
+                "type": "firewall",
+                "vendor": "Fortinet"
+            },
+            "related": {
+                "ip": [
+                    "172.16.200.2",
+                    "172.16.200.254"
+                ],
+                "user": [
+                    "ABC-EFG-Admin04"
+                ]
+            },
+            "rule": {
+                "description": "IPsec tunnel statistics"
+            },
+            "source": {
+                "ip": "172.16.200.2",
+                "user": {
+                    "name": "ABC-EFG-Admin04",
+                    "roles": [
+                        "Administrator"
+                    ]
+                }
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "name": "ABC-EFG-Admin04",
+                "roles": [
+                    "Administrator"
+                ]
+            }
         }
     ]
 }

packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/login.yml

@@ -78,7 +78,7 @@ processors:
       field: "message"
       tag: "ssh login 3"
       patterns:
-          - "%{WORD:_tmp.user.roles} %{WORD:user.name} logged in %{WORD:event.outcome} from (?:jsconsole|%{WORD}\\(%{IP:source.ip}\\))"
+          - "%{WORD:_tmp.user.roles} %{NOTSPACE:user.name} logged in %{WORD:event.outcome} from (?:jsconsole|%{WORD}\\(%{IP:source.ip}\\))"
       if: "ctx.message != null && ctx.message.startsWith('Administrator') && ctx.message.toLowerCase().contains('logged in')"
       on_failure:
           - append:

packages/fortinet_fortigate/manifest.yml

@@ -1,6 +1,6 @@
 name: fortinet_fortigate
 title: Fortinet FortiGate Firewall Logs
-version: "1.36.0"
+version: "1.36.1"
 description: Collect logs from Fortinet FortiGate firewalls with Elastic Agent.
 type: integration
 format_version: "3.0.3"