Technical Tip: CEF log field with wrong format in syslog server

When FortiGate sends logs from FortiOS to any remote or local syslog server the log format changes for CEF and the CEF fields parameters replace them. 

CLI:

config log syslogd setting
     set status enable
     set server "x.x.x.x"
     set format cef
 end

The document Traffic log support for CEF describes the lists of the CEF log fields that will be changed from the original log field.

Additionally the article Technical Tip: FortiGate adding 'FTNTFGT' prefix while sending logs to Syslog server describes the front prefix that will be added before the log field. 

In some cases the log field does not change to the recommended format as following example:

.. FTNTFGTlevel=notice FTNTFGTvd=root src=10.120.152.189 spt=54320 deviceInboundInterface=port2
FTNTFGTsrcintfrole=undefined dst=40.113.178.33 dpt=443 deviceOutboundInterface=port1
FTNTFGTdstintfrole=undefined FTNTFGTsrccountry=Reserved FTNTFGTdstinetsvc=Microsoft-Azure
FTNTFGTdstcountry=Netherlands FTNTFGTdstregion=North Holland FTNTFGTdstcity=Amsterdam
FTNTFGTdstreputation=4 externalId=16739081 proto=6 FTNTFGTaction=close FTNTFGTpolicyid=454
FTNTFGTpolicytype=policy FTNTFGTpoluuid=9c12de76-0bd1-51f0-7853-44fa94fd9ebb FTNTFGTpolicyname=Telemetry app=Microsoft-Azure FTNTFGTtrandisp=snat sourceTranslatedAddress=10.120.80.11 sourceTranslatedPort=54320 FTNTFGTappid=38924 FTNTFGTapp=Microsoft.Azure FTNTFGTappcat=Cloud.IT FTNTFGTapprisk=medium FTNTFGTapplist=block-high-risk ..

Here the CEF log field 'action' changed into 'act' which is a wrong format which is related to FortiOS. The issue is being fixed in FortiOS version 7.4.10, 7.6.5 and 8.0.0. It is requested to open a ticket to the Fortinet TAC if the same or similar issues are observed with the CEF format log field.