The issue:

Downloading Raw logs requires a subscription to FortiGate Cloud to download which can be found under https://login.forticloud.com -> Services -> FortiGate Cloud -> Analytics -> Raw logs.

The types of logs that can be exported in the 'log.gz' format will be available here.

For example: FGVM01XXXXXXXXX_tlog_20250317-1549-20250320-0757.log.gz

The information contained in a tlog (traffic logs) will look like the following:

date=2025-03-19 time=13:17:58 eventtime=1742404677400430149 tz="-0400" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=X.X.X.X srcport=65436 srcintf="LAN" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" srccountry="Reserved" dstinetsvc="Google-DNS" dstcountry="United States" dstregion="California" dstcity="Mountain View" dstreputation=5 sessionid=8268497 proto=17 action="accept" policyid=1 policytype="policy" poluuid="ac47435a-3c92-51ee-4ce4-3ab6abb2b65a" policyname="INTERNET-VLAN" service="Google-DNS" trandisp="snat" transip=X.X.X.X transport=65436 appcat="unscanned" duration=181 sentbyte=56 rcvdbyte=132 sentpkt=1 rcvdpkt=1 vwlid=0 srchwvendor="MSI" devtype="Router" osname="Unknown" mastersrcmac="XX:XX:XX:XX:XX:XX" srcmac="XX:XX:XX:XX:XX:XX" srcserver=0

Now, when importing the log.gz file into FortiAnalyzer Cloud under https://login.forticloud.com -> Services -> FortiAnalyzer Cloud -> Log View -> Log Browse -> Import, the following errors may be observed:

The problem is due to the exported logs from FortiGate Cloud where 'devid' or 'itime' is not present in the raw logs. In addition, the log file name should be in the following naming scheme: devid.<t>log.log/txt/csv 

The workaround:

1. Export the logs from FortiGate Cloud.
2. Extract the file and modify the contents to add 'devid' and 'itime'.

• For windows, 7Zip can be used to extract the file.

3. Save the file with the following format: devid.<t>log.log/txt/csv
4. Import it into FortiAnalyzer Cloud using 'Taken From Imported File'.