From 9998936ea4f9ff35cd25b220b316503161c39f09 Mon Sep 17 00:00:00 2001
From: Andrew Kroh <andrew.kroh@elastic.co>
Date: Thu, 10 Sep 2020 16:55:43 -0400
Subject: [PATCH] Add support for GMT timezone offset in decode_cef (#20993)

The Java SimpleDataFormat's `zzz` allows for `GMT-07:00` in timestamps
but this wasn't handled in the processor.

(cherry picked from commit 6cfee0c7a1f2917f51840a4739831a8c17397b25)
---
 CHANGELOG.next.asciidoc                                 | 1 +
 x-pack/filebeat/processors/decode_cef/cef/types.go      | 4 ++++
 x-pack/filebeat/processors/decode_cef/cef/types_test.go | 4 ++++
 3 files changed, 9 insertions(+)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index b277bc1c4d73..3e8c2ae155ef 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -81,6 +81,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Fix PANW field spelling "veredict" to "verdict" on event.action {pull}18808[18808]
 - Tracking session end reason in panw module. {pull}18705[18705]
 - Removed experimental modules `citrix`, `kaspersky`, `rapid7` and `tenable`. {pull}20706[20706]
+- Add support for GMT timezone offsets in `decode_cef`. {pull}20993[20993]
 
 *Heartbeat*
 
diff --git a/x-pack/filebeat/processors/decode_cef/cef/types.go b/x-pack/filebeat/processors/decode_cef/cef/types.go
index c2c6776dcdb3..a0e39c27b4cd 100644
--- a/x-pack/filebeat/processors/decode_cef/cef/types.go
+++ b/x-pack/filebeat/processors/decode_cef/cef/types.go
@@ -105,6 +105,7 @@ var timeLayouts = []string{
 	"Jan _2 15:04:05.000 MST",
 	"Jan _2 15:04:05.000 Z0700",
 	"Jan _2 15:04:05.000 Z07:00",
+	"Jan _2 15:04:05.000 GMT-07:00",
 
 	// MMM dd HH:mm:sss.SSS
 	"Jan _2 15:04:05.000",
@@ -113,6 +114,7 @@ var timeLayouts = []string{
 	"Jan _2 15:04:05 MST",
 	"Jan _2 15:04:05 Z0700",
 	"Jan _2 15:04:05 Z07:00",
+	"Jan _2 15:04:05 GMT-07:00",
 
 	// MMM dd HH:mm:ss
 	"Jan _2 15:04:05",
@@ -121,6 +123,7 @@ var timeLayouts = []string{
 	"Jan _2 2006 15:04:05.000 MST",
 	"Jan _2 2006 15:04:05.000 Z0700",
 	"Jan _2 2006 15:04:05.000 Z07:00",
+	"Jan _2 2006 15:04:05.000 GMT-07:00",
 
 	// MMM dd yyyy HH:mm:ss.SSS
 	"Jan _2 2006 15:04:05.000",
@@ -129,6 +132,7 @@ var timeLayouts = []string{
 	"Jan _2 2006 15:04:05 MST",
 	"Jan _2 2006 15:04:05 Z0700",
 	"Jan _2 2006 15:04:05 Z07:00",
+	"Jan _2 2006 15:04:05 GMT-07:00",
 
 	// MMM dd yyyy HH:mm:ss
 	"Jan _2 2006 15:04:05",
diff --git a/x-pack/filebeat/processors/decode_cef/cef/types_test.go b/x-pack/filebeat/processors/decode_cef/cef/types_test.go
index 142538eece46..fe44c13abb88 100644
--- a/x-pack/filebeat/processors/decode_cef/cef/types_test.go
+++ b/x-pack/filebeat/processors/decode_cef/cef/types_test.go
@@ -21,6 +21,7 @@ func TestToTimestamp(t *testing.T) {
 		"Jun 23 17:37:24.000 +05",
 		"Jun 23 17:37:24.000 +0500",
 		"Jun 23 17:37:24.000 +05:00",
+		"Jun 23 17:37:24.000 GMT+05:00",
 
 		// MMM dd HH:mm:sss.SSS
 		"Jun 23 17:37:24.000",
@@ -31,6 +32,7 @@ func TestToTimestamp(t *testing.T) {
 		"Jun 23 17:37:24 +05",
 		"Jun 23 17:37:24 +0500",
 		"Jun 23 17:37:24 +05:00",
+		"Jun 23 17:37:24 GMT+05:00",
 
 		// MMM dd HH:mm:ss
 		"Jun 23 17:37:24",
@@ -41,6 +43,7 @@ func TestToTimestamp(t *testing.T) {
 		"Jun 23 2020 17:37:24.000 +05",
 		"Jun 23 2020 17:37:24.000 +0500",
 		"Jun 23 2020 17:37:24.000 +05:00",
+		"Jun 23 2020 17:37:24.000 GMT+05:00",
 
 		// MMM dd yyyy HH:mm:ss.SSS
 		"Jun 23 2020 17:37:24.000",
@@ -51,6 +54,7 @@ func TestToTimestamp(t *testing.T) {
 		"Jun 23 2020 17:37:24 +05",
 		"Jun 23 2020 17:37:24 +0500",
 		"Jun 23 2020 17:37:24 +05:00",
+		"Jun 23 2020 17:37:24 GMT+05:00",
 
 		// MMM dd yyyy HH:mm:ss
 		"Jun 23 2020 17:37:24",