Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bmedikonda
Staff
Staff

Created on ‎05-16-2025 02:31 AM Edited on ‎07-20-2025 10:08 PM By Community Manager

Article Id 392123

Troubleshooting Tip: Multiple Syslog payloads merged into a single payload when FortiGate sends logs to server

Description This article explains how to resolve the issue where multiple Syslog payloads from FortiGate were being merged into a single payload when logs were sent to the server.
Scope FortiGate.
Solution

When using syslog in reliable mode, FortiGate sends logs over TCP. This can result in multiple payloads being merged when received by some SIEM systems, such as IBM QRadar, especially if the parser is not properly handling message boundaries.

 

To resolve this behavior, switch the syslog transmission mode from reliable (TCP) to UDP, which sends logs as discrete datagrams and helps the server process them individually.

Use the following CLI commands on the FortiGate to change the syslog mode:


config log syslogd setting
    set mode udp
end

 

After this change, FortiGate will send syslog messages using UDP by default, preventing multiple payloads from merging into a single entry.

 

Note:

Ensure that the receiving system (for example, QRadar) is configured to accept and properly parse syslog over UDP.

 

For more information about syslog configuration, refer to this KB article: Technical Tip: How to configure syslog on FortiGate.
590
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.