About VPN EVENT LOG

About a year ago, we encountered VPN access that appeared to be using information from the account list we managed.

There are three types of targeted VPN users based on logs and token reception status via email.

・Email authentication applicable account
・Non-multifactor authentication account
・Deleted account　　

For accounts eligible for email authentication, token notification emails were received, but the logs for those users could not be confirmed.
For deleted users, SSL-login-fail logs were recorded.
For users with non-multifactor authentication, only tunnel-down logs due to timeout were recorded.

When checking the normal logs, tunnel-up and tunnel-down are set as a set, but for non-multifactor authentication users, only tunnel-down due to timeout was recorded in the log.

We inquired about this situation to the maintenance vendor, but they answered that due to the specifications, only tunnel-down is not recorded in the log.

However, the actual declared contents are recorded in the logs, and I am concerned about the logs of this product, so I decided to post it here to see if the logs can be tampered with or if there is anything that records only tunnel-down under certain conditions.

The product is Fortigate100E
OS I was using at the time was 6.4.13.