Beginning with v7.2.6, syslog messages were modified to include additional backslash (\) escape characters to comply with RFC 5424 formatting standards.

In some environments running v7.2.9, syslog forwarding may intermittently stop, even though the logfwd process continues to appear healthy. Restarting the logfwd process temporarily restores log forwarding; however, the issue may recur after several days of continuous operation.

This behavior is associated with a known issue (Bug ID: 1050063) and is influenced by the syslog format changes introduced in version 7.2.6.

Symptoms:

• Syslog messages from FortiAnalyzer stop being received by external syslog servers or SIEMs.

• Restarting the logfwd process temporarily restores forwarding.

• System logs may show entries like:

Error load start-msgseqno failed on /drive0/private/logfwd/cache/<filename>.cf

• Running 'diagnose test application logfwd 6' shows syslog servers as healthy with no error counters.

• Certain SIEM platforms may fail to parse syslog messages containing backslash (\) characters.

    

Root Cause:

1. Known Issue: Bug ID 1050063: v7.2.9 can experience intermittent log forwarding interruptions, especially when real-time forwarding or log-forward filters are enabled.

2. Syslog Format Changes Introduced in v7.2.6: Additional escape characters (\) were added to comply with RFC 5424 standards. SIEMs expecting legacy FortiGate-style (FGT) or RFC 3164 format may misinterpret these messages.

Impact:
Intermittent syslog forwarding may result in gaps in log delivery to SIEM systems, potentially affecting monitoring, alerting, and incident response.

This change can cause compatibility issues with SIEMs that expect the legacy FortiGate-style or RFC 3164 format.

To resolve the log forwarding issue with FortiAnalyzer, follow these steps:

1. Upgrade FortiAnalyzer to v7.2.10, as this version resolves the known issue with log forwarding. 
2. Change the syslog format to RFC 5424 by running the following command in the FortiAnalyzer CLI to ensure SIEM compatibility: 

config system log-forward
edit <id>
set fwd-syslog-format rfc-5424
next
end

Options:

• fgt – Legacy FortiGate-style syslog format.

• rfc-5424 – Standards-compliant format (recommended).

Verify that the SIEM tool supports the RFC 5424 syslog format. 

Example Syslog Message (RFC 5424 format):

syslog.msg == "logver=702111740 timestamp=1750953541 devname=\"fgt-01\" devid=\"FG3K2D3Z012340000\" vd=\"root\" date=2025-06-26 time=15:59:01 eventtime=1750917541612994190 tz=\"+1000\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" srcip=10.13.71.3 srcport=58606 srcintf=\"LAN-STA\" dstip=212.123.223.254 dstport=53 dstintf=\"OUT-SVC\" action=\"accept\" policyid=230 policyname=\"INTERZONE DNS clients to RESOLVERS\" proto=17 sentbyte=63 rcvdbyte=124\n"
​

For example, LogScale (SIEM) integrates with Supported Log Formats for syslog, i.e, (BSD Syslog RFC 3164 and IETF Syslog RFC 5424).

Related document:

https://library.humio.com/integrations/integrations-fortinet-fortigate.html