FortiGate can send logs to the syslog server with the 'cef' format, and the configuration can be simply done from CLI 'config log syslog setting' shared in the article Technical Note: FortiGate Logs can be sent to syslog servers in Common Event Format

While the FortiGate-VM based on the Azure platform sends the logs to the syslog server, an additional prefix 'FTNTFGT' can be observed before the fields of the logs(e.g.,FTNTFGTutmaction, FTNTFGTpolicyid etc.). Some specific fields will be changed while sending with cef format and the list can be found in the document Traffic log support for CEF. 

Example log:

Aug 26 10:04:07 adminlab CEF: 0|Fortinet|Fortigate|v7.4.8|00013|traffic:forward close|3|deviceExternalId=FGVM4VTMxxxxxx FTNTFGTeventtime=1756191456786479808 FTNTFGTtz=+0300 FTNTFGTlogid=0000000013 cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=root src=10.230.152.196 spt=55680 deviceInboundInterface=port2 FTNTFGTsrcintfrole=undefined dst=60.115.98.89 dpt=443 deviceOutboundInterface=port1 FTNTFGTdstintfrole=undefined FTNTFGTsrccountry=Reserved FTNTFGTdstinetsvc=Microsoft-Azure FTNTFGTdstcountry=Slovakia FTNTFGTdstregion=EAST FTNTFGTdstreputation=4 externalId=16749651 proto=6 act=close FTNTFGTpolicyid=54 FTNTFGTpolicytype=policy FTNTFGTpoluuid=9c12de76-6945-51f0-7854-44fa94fd9ebb FTNTFGTpolicyname=TestPolicy app=Microsoft-Azure FTNTFGTtrandisp=snat sourceTranslatedAddress=10.10.80.56 sourceTranslatedPort=58120 FTNTFGTappid=34654 FTNTFGTapp=Microsoft.Azure FTNTFGTappcat=Cloud.IT FTNTFGTapprisk=medium FTNTFGTapplist=block-high-risk FTNTFGTduration=1 FTNTFGTsentpkt=10 FTNTFGTrcvdpkt=10 FTNTFGTutmaction=allow FTNTFGTcountapp=1

In some units, the prefix can also be observed as 'FortinetFortiGate' instead of 'FTNTFGT', and these prefixes are hardcoded, which cannot be changed through CLI.