Panorama logs running 5 hours behind eastern time zone

[Bal33p]

Hello,
Using a standalone install version Version: 2.3.210
Thirdparty_filebeat_module Panw

Our current Panorama is sending logs to SO in the eastern time zone
SO is presenting the logs with a time stamp 5 hours behind
It looks like SO thinks it is getting the logs in UTC and is then compensated for it

I added the following stanza to my minion.sls, but it has no effect. I have also tried '~' , and neither works.
We have tested with our test Pano and confirmed that changing the Pano to UTC fixes everything, but the Firewall admin would prefer not to use UTC. How do I correct this in SO?

  panw:
    panos:
      enabled: true
      var.syslog_host: 0.0.0.0
      var.syslog_port: 9002
      Processors: 
        - add_locale:
            format: UTC

[InfosecGoon]

Is Panorama capable of adding a tzdata field to the log it sends, so Filebeat recognizes that it's in local time rather than UTC?

[Bal33p]

Unfortunately, no, it looks like you have to change the panorama and all the firewalls to send their logs in UTC

[InfosecGoon]

Looking at the docs, it looks like you need to overwrite the event.timezone field with the time zone set on your Panorama box.

Maybe something like this? I'm not sure about the syntax for the "timezone" field, I copied this from Kibana.

  panw:
    panos:
      enabled: true
      var.syslog_host: 0.0.0.0
      var.syslog_port: 9002
      processors: 
        - add_field:
            target: event
            fields:
               timezone: US/Eastern

[Bal33p]

Thanks, @InfosecGoon
I tried again and found the drop_fields to work...
Thank you for taking the time to help. Much Appreciated
I did try your solution, and they both seem to work!

      panw:
        panos:
          enabled: true
          var.syslog_host: 0.0.0.0
          var.syslog_port: 9002
          processors:
           - drop_fields:
              fields: event.timezone