In a network topology with a centralized FortiGate (root FortiGate) and downstream FortiGates (all devices are managed by FortiManager),  a logging icon showing all is by design when Security Fabric is enabled.

If needed to centralize logging management through FortiManager , there is a setting to achieve it:

config system csf

    set configuration-sync local

end

Below are the impacts on Security Fabric devices, when  "set configuration-sync local"  is configured on the downstream device :

• All traffic going through FortiGate firewall policy will be logged regardless if logging is enabled or not in policy configuration.
• The policies will reflect the changes for logging that are pushed from FortiManager.
•  The connection between downstream FortiGate, FortiAnalyzer and FortiManager will remain established and the downstream FortiGate can be managed by FortiManager.
• The synchronized Fabric objects are kept as locally created objects on downstream FortiGate.
• On FortiAnalyzer, the logs from the downstream device , will continue to be saved.

On the downstream FortiGate:

On the FortiAnalyzer, the connection is UP and the logs are stored:

On the FortiManager device, the device is UP and still can be managed by FortiManager: