FortiGate firewalls use the FortiOS operating system andextremely detailedproduces logs. There can be nearly 60 fields in a traffic event. Indexing all of these fields in SIEM is both unnecessary and expensive. If you make the right choice, both performance will be good and your detection quality will remain high.
In this guide, we will examine the FortiOS 7.x syslog output field by field and distinguish which is critical and which is noise.
An example FortiGate Log Line
date=2026-04-23 time=14:32:05 devname="FG100-HQ" devide="FG100ETK20000123"
eventtime=1714048325 tz="+0300" logid="0000000013" type="traffic"
subtype="forward" level="notice" vd="root" srcip=192.168.1.105
srcport=54332 srcintf="port1" srcintfrole="lan" dstip=203.0.113.45
dstport=443 dstintf="port2" dstintfrole="wan" sessionid=8821334
proto=6 action="deny" policyid=0 policytype="policy" service="HTTPS"
dstcountry="Netherlands" srccountry="Reserved" trandisp="noop"
duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned"
crscore=5 extraction=131072 crlevel="low"This single row contains 30+ fields. Let's examine each one individually — but first, let's prioritize.
critical Fields (should always be indexed)
| Alan | Meaning | Why critical? |
|---|---|---|
date, time |
timestamp | The basis of every correlation |
devname |
firewall name | Filtering in multi-device environment |
srcip |
Source IP | Brute force, scan detection |
dstip |
Target IP | Target enumerasyonu |
srcport / dstport |
Port numbers | Port scan, service detection |
action |
deny / accept / dropped | Deny chain = attack signal |
service |
HTTPS, DNS, vs. | Traffic type |
proto |
6 (TCP), 17 (UDP), 1 (ICMP) | Protocol analysis |
policyid |
Which firewall rule was triggered | Policy tuning |
srccountry / dstcountry |
GeoIP | Foreign country detection |
Important Fields (required for most scenarios)
srcintf/dstintf |
Input/output interface (port1, wan1 etc.) |
srcintfrole / dstintfrole |
lan, wan, dmz — critical for traffic direction |
sentbyte / rcvdbyte |
Traffic volume — for data exfil detection |
duration |
Connection time |
appcat / app |
Application category (Social Media, etc.) |
user |
Username if Auth is done |
Noise Areas (usually should not be indexed)
The following areasfills up storageand is rarely required for detection:
logid— FortiOS internal ID, meaning uncleardevide— Device serial number is meaningless in a single deviceeventtime— duplicate with date/timetz— timezone, usually fixedvd— virtual domain, "root" in most companiessessionid— rarely needed for correlationtrandisp— translation disposition, very specificcrscore,extraction,crlevel— FortiGuard categorization (can be stored without indexing)
raw_message Store it as text inside. Thus, both performance and archive are possible.
Meaning of Action Field
In FortiGate, the action area is the heart of intrusion detection:
accept |
Traffic allowed |
deny |
Rejected by Policy |
close |
Normal oturum sonu |
time out |
Session time out |
server-rst / client-rst |
TCP RST packet |
ip-conn |
IP connection error |
Most valuable for intrusion detection: deny, server-rst, ip-conn. Their successive arrival is the clearest signal of port scan or brute force.
Log Levels
FortiGate log levels comply with Syslog RFC 5424:
emergency | 0 — System cannot be used |
alert | 1 — Immediate action is required |
critical | 2 — critical situation |
error | 3 — Hata |
warning | 4 — Warning |
notice | 5 — Important but normal |
information | 6 — Information |
debug | 7 — Debug |
notice Submit and above (0-5). informationanddebug It takes up a lot of space and has low analytical value.
Sending Syslog from FortiGate
Configuring FortiGate to send logs to SIEM with CLI:
config log syslogd setting
set status enable
set server "siem.example.com"
set mode udp
set port 514
set facility local7
set source-ip "192.168.1.1"
set format default
set enc-algorithm disabled
end
config log syslogd filter
set severity notice
set forward-traffic enable
set local-traffic disabled
set multicast-traffic disabled
set sniffer-traffic disabled
set anomaly enable
set voip disabled
endThis configuration:
- Send to SIEM over UDP 514
- Notice level and above (filtered)
- Including forward traffic (traffic to WAN)
- Except for local, multicast, sniffer traffic (noise)
Suggestion for Renaming Log Fields
FortiGate domains sometimes do not match other firewalls. To use uniform schema in SIEM:
| FortiGate | Normalized (recommended) |
|---|---|
srcip | src_ip |
dstip | dst_ip |
srcport | src_port |
dstport | dst_port |
devname | device_hostname |
srccountry | src_country |
sentbyte | bytes_sent |
rcvdbyte | bytes_received |
Since this naming will also be compatible with MikroTik, WatchGuard, Cisco, correlation rulesvendor-agnosticcan be written.
Summary
- FortiGate log line contains 60+ fields — not all needed
- Index 10 critical areas:
date, srcip, dstip, srcport, dstport, action, service, policyid, srccountry, devname actionfield is the heart of intrusion detection- Do not send below the notice level — noise
- Normalize field names — for vendor-agnostic correlation
- Save raw log — for audit / deep dive