In FortiOS 7.2.x, when a dial-up IPsec VPN tunnel is configured for remote users to connect using FortiClient, endpoint event logs may show two extra log IDs compared to other newer newer firmware versions such as 7.4.x FortiOS.

For each successful dialup vpn connect/disconnect, in addition to the two informational level log IDs 'Add (0107045057)' and 'Close (0107045058)', there are other two warning level log IDs with UNKNOWN users, along with 'Add log ID', the log ID (0107045124), and along with 'Close log ID', the Log ID (0107045125). Refer to Log & Report -> System Events -> Endpoint Events as follows:

The Add and Close give more information about the user and the host machine initiating dial-up VPN connects or disconnects. The other two logs with the UNKNOWN user provide extra information about the overlay tunnel setting itself. This is intended behavior and included by design.