Troubleshooting Tip: Log showing truncated on the QRadar syslog server

The attached capture shows a FortiGate sending the log towards the QRadar syslog server.

• FortiGate IP: 10.128.25.62
• QRadar IP: 10.130.35.95

Below is the log text extracted from the Wireshark capture:

date=2025-12-08 time=11:25:32 devname="_FGT_FW1" devid="FGVMSL0000000" eventtime=1765173333344578239 tz="+0530"logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="low" srcip=10.128.2.50 srccountry="Reserved" dstip=10.132.115.104 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" sessionid=107963143 action="dropped" proto=6 service="HTTP" policyid=121 poluuid="1f2bfaf8-97b1-51ef-026b-b7e43fcb8613" policytype="policy" attack="Assetnote. Scanner" srcport=47874 dstport=80 hostname="sampletest. com"
url="/MetalWeb/changePasswordForgot. do:wras :@131/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, likeGecko) Chrome/60.0.3112.113 Safari/537.36 Assetnote/1.0.0" httpmethod="POST" direction="outgoing" attackid=49987 profile="IPS-Profile" ref="http://www.fortinet.com/ids/VID49987" incidentserialno=355478295 msg="tools: Assetnote. Scanner" forwardedfor="103.15.1.1"

The following image shows the log received on the QRadar:

The last line of the log on Q-Radar only shows two octets of IP addresses present in the log. IPv4 has four octets i.e. x.x.x.x. To compare with the log text extracted from the Wireshark capture, the complete IP address is 103.15.1.1.