From 8f1dc4cd88aa9c435b99811b50b9b52519989f7c Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Tue, 28 Jul 2020 15:41:05 +0200
Subject: [PATCH 1/3] Remove pre populated event.timezone

---
 x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml | 5 ++++-
 .../module/fortinet/firewall/test/fortinet.log-expected.json | 1 -
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
index 60ada5b7f08..dccde298b8c 100644
--- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
@@ -27,6 +27,9 @@ processors:
 - set:
     field: event.dataset
     value: fortinet.firewall
+- remove:
+    field: event.timezone
+    ignore_missing: true
 - set:
     field: event.timezone
     value: "{{fortinet.firewall.tz}}"
@@ -178,4 +181,4 @@ processors:
 on_failure:
 - set:
     field: error.message
-    value: '{{ _ingest.on_failure_message }}'
\ No newline at end of file
+    value: '{{ _ingest.on_failure_message }}'
diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json
index 73ad332c40d..bf1b5de3fd0 100644
--- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json
+++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json
@@ -96,7 +96,6 @@
         "event.module": "fortinet",
         "event.outcome": "success",
         "event.start": "2020-06-24T01:16:08.000Z",
-        "event.timezone": "-02:00",
         "event.type": [
             "connection",
             "end"

From 538865cc6c7a173b6ae7130856ea0d4646e19f65 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Tue, 28 Jul 2020 15:51:05 +0200
Subject: [PATCH 2/3] Add changelog entry

---
 CHANGELOG.next.asciidoc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index d8a51a18081..03bb5ac4f54 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -225,6 +225,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962]
 - Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138]
 - Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245]
+- Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273]
 
 *Heartbeat*
 

From cae41b18c651f087ddb70785ae637064aab96e03 Mon Sep 17 00:00:00 2001
From: Marc Guasch <marc.guasch@elastic.co>
Date: Wed, 29 Jul 2020 13:15:24 +0200
Subject: [PATCH 3/3] Remove  processor instead of the field

---
 x-pack/filebeat/module/fortinet/firewall/config/firewall.yml | 1 -
 x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml
index 6af16945317..1154d83947f 100644
--- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml
+++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml
@@ -24,7 +24,6 @@ tags: {{.tags | tojson}}
 publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
 
 processors:
-  - add_locale: ~
   - add_fields:
       target: ''
       fields:
diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
index dccde298b8c..2aaf7065ec1 100644
--- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
+++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml
@@ -27,9 +27,6 @@ processors:
 - set:
     field: event.dataset
     value: fortinet.firewall
-- remove:
-    field: event.timezone
-    ignore_missing: true
 - set:
     field: event.timezone
     value: "{{fortinet.firewall.tz}}"