Event ID 10002 refers to a log entry change event that was performed through the Graphical User Interface (GUI). This indicates that an admin-privileged user manually changed or edited a log entry using the system’s frontend interface, rather than via automated scripts or backend processes. The remote user sync rules would for be logged with ID 30303, for example.

This log entry does not capture any subsequent actions such as adding or removing entries. It serves as a record of user-initiated 'change/edit' actions for auditing and traceability. It is worth mentioning that assigning FortiTokens to local/remote users will also fall under the edit/change category.

The system event message(s) will look like the following:

1. Edited Remote SAML user:

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Remote SAML User: test@fortinet.net (changed fields: first name, last name, email address and display name)" user="admin"

2. Edited Remote LDAP user:

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Remote LDAP User: test@fortinet.net (changed fields: first name, last name, email address and display name)" user="admin"

3. Edited Local user:

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Local User: test (changed fields: email address and Restrict GUI)" user="admin"

4. Edited Local User profile:

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Local User Profile: test (changed fields: country, mobile number, SMS gateway and email recovery)" user=""

5. Assigning FortiTokens:

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Assigning FortiToken FTKXXXXXXXXXXXXX to local user profile test" user=""

6. Editing High Availability (HA) settings):

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Setting: ha_hb_lost_threshold (changed fields: value)" user="admin"
date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Setting: ha_hb_interval (changed fields: value)" user="admin"
date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited HA Setting: ha_node_gw_type (changed fields: value)" user="admin"
date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited HA Setting: ha_maintenance_mode (changed fields: value)" user="admin"

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited Secondary Load Balancer : FAC (changed fields: name)" user="fortinetadmin"

date=2025-06-03 time=20:13:33+0000 oid=8888 logid=10002 cat="Event" subcat="Admin Configuration" level="information" nas="" action="Edit" status="" msg="Edited HA Setting: ha_password (changed fields: value)" user="fortinetadmin"

There are many other different events, and they will still share the same event IDs under 10002. They can be viewed under Logging -> Log Access -> Logs -> Search, enter the event ID '10002'. 
More log IDs can be found at Logging -> Log Access -> Log Types.

Related documentation:

FortiAuthenticator Administration Guide, Log Access