To configure subnet-based syslog filtering on FortiGate, follow the steps below:

Configure the syslog server using CLI:

config log syslogd setting
    set status enable
    set server 'x.x.x.x'    <----- Syslog server IP address.
    set mode udp
    set port 514
end

Configure the subnet-based filter using CLI:

config log syslogd filter
    config free-style
        edit 1
            set category traffic
            set filter '(srcip 8.8.8.0-8.8.8.254) or (dstip 8.8.8.0-8.8.8.254)'
            set filter-type include
        next
    end
end

Capturing syslog traffic on the firewall shows that only logs matching the configured filters are forwarded to the syslog server:

Once the logs are forwarded to the syslog server, the source or destination IP addresses can be verified to confirm that the received logs match the filters configured on the firewall:

Free-style expression can be configured as follows:

Enter a free-style expression. For example:

"srcip 172.16.1.1"
"(srcip 172.16.1.1) or (dstip 172.16.1.2)"
"(srcip 172.16.1.1) and (dstip 172.16.1.2)"
"((srcip 172.16.1.1) or (dstip 172.16.1.2)) and (dstport 80 443 50-60)"

Note: To forward a specific subnet of IP addresses, the entire network range of IP addresses should be defined in the filter.

This configuration will forward traffic logs with source or destination IP addresses within the 8.8.8.0/24 subnet to the specific syslog server.