[Fortinet Fortigate] Add url parsing error handling

[gogochan]

Proposed commit message

This PR adds error message for Fortinet Firewall if url parsing fails parsing
https://github.com/elastic/sdh-beats/issues/5691

The test file was removed since elastic-package cannot handle the test data with error.message field.

update

Instead of generating a dedicated field, I choose to populate the error message as it displays the original url.

         {
+            "@timestamp": "2025-02-05T00:19:02.000-07:00",
+            "destination": {
+                "ip": "10.7.3.6",
+                "port": 80
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "error": {
+                "message": [
+                    "url parsing failed with message unable to parse URI [%/%70%68%70%70%61%74%68/%70%68%70?%2d%64+%61%6c%6c%6f%77%5f%75%72%6c%5f%69%6e%63%6c%75%64%65%3d%6f%6e+%2d%64+%73%61%66%65%5f%6d%6f%64%65%3d%6f%66%66+%2d%64+%73%75%68%6f%73%69%6e%2e%73%69%6d%75%6c%61%74%69%6f%6e%3d%6f%6e+%2d%64+%64%69%73%61%62%6c%65%5f%66%75]"
+                ]
+            },

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Screenshots

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[taylor-swanson]

I'm a bit confused, the description says this will store the original url under url.original, but I'm only seeing us appending to error.message. Does uri_parts failing automatically put the original url under url.original?

[gogochan]

I'm a bit confused, the description says this will store the original url under url.original, but I'm only seeing us appending to error.message. Does uri_parts failing automatically put the original url under url.original?

sorry about that. I updated the PR message late. I have added additional detail and sample output.

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 064a7c0

History

• 💚 Build #22819 succeeded 034681f
• 💚 Build #22782 succeeded f56edee
• 💔 Build #22771 failed af2f661
• 💚 Build #22762 succeeded 918c6c6
• 💔 Build #22748 failed 635a550
• 💔 Build #22741 failed ed6a412

[elastic-vault-github-plugin-prod]

Package fortinet_fortigate - 1.30.0 containing this change is available at https://epr.elastic.co/package/fortinet_fortigate/1.30.0/