When a user successfully login to device, FortiGate will generate logid="0100032001" and assign specific Serial Number for the login attempt.

date=2025-03-21 time=00:41:47 eventtime=1742542907554349462 tz="-0700" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1742542907" user="admin" ui="https(10.32.98.8)" method="https" srcip=10.32.98.8 dstip=10.40.19.6 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from https(10.32.98.8)"

When the successfully logged-in admin user logs out of the device or user activity is terminated, FortiGate will generate a log for the administrator logged out, but the log ID will differ due to the reason for the logout; however, the serial number remains the same as the login event.

logID for Administrator admin logged out is 32003
logID for Administrator admin was disconnected from https is 32561
logID for Administrator admin timed out on https is 32003

date=2025-03-21 time=00:50:35 eventtime=1742543435856179705 tz="-0700" logid="0100032003" type="event" subtype="system" level="information" vd="root" logdesc="Admin logout successful" sn="1742542907" user="admin" ui="https(10.32.98.8)" method="https" srcip=10.32.98.8 dstip=10.40.19.6 action="logout" status="success" duration=528 reason="timeout" msg="Administrator admin timed out on https(10.32.98.8)"

To track when a successfully logged-in user logs out, a log is generated; serial number can be used as the filter to track admin login and logout log.