Hi Guys,

I'm encountering an odd issue with a FortiGate running v7.2.11. I've configured both syslogd and syslogd2 to send logs to the same SIEM destination IP, but using different facilities (local6 vs local7) and even different protocols.

The goal is to separate traffic logs from threat logs so the SIEM can route them into different tables based on the facility used.

However, as soon as I enable syslogd2, the original syslogd stops sending logs. In fact, it seems like syslogd’s logs filter settings start inheriting the facility of syslogd2, and everything traffic & threat ends up in the same SIEM table.  Once I disable syslogd2, syslogd starts working normally again.

It appears that enabling both at the same time breaks the expected separation, even though FortiGate is supposed to support them operating independently.

I've tried changing the protocol, one on UDP and other on TCP but still had issues.

Has anyone else seen this? Could this be an undocumented FortiOS limitation or bug?

Here is my config for reference

config log syslogd setting
set status enable
set server "10.10.10.10"
set mode udp
set port 514
set facility local7
set source-ip ""
set format cef
set priority default
set max-log-rate 0
set interface-select-method auto
end

config log syslogd filter
set severity information
set anomaly enable
set voip enable
set gtp enable
end

config log syslogd2 setting
set status enable
set server "10.10.10.10"
set mode udp
set port 514
set facility local6
set source-ip ""
set format cef
set priority default
set max-log-rate 0
set interface-select-method auto
end

config log syslogd2 filter
set severity information
set forward-traffic enable
set local-traffic enable
set multicast-traffic enable
set sniffer-traffic enable
set ztna-traffic enable
end