Thanks, so can you provide:
1) Sanitized Sample of an Unknown Event

2) FortiSIEM Version and Agent Version.

Hi @cdurkin_FTNT @Himanshu735, 

Log example for FSM-WUA-WinLog-Security logs from Windows.

Sample: 2025-06-26T13:03:19Z fsrv01.internal.example.com 172.10.24.20 FSM-WUA-WinLog-Security [phCustId]="9999" [customer]="ExampleCorp-Datacenter" [monitorStatus]="Success" [Locale]="tr-TR" [MachineGuid]="f1a2b3c4-d5e6-7890-ab12-3456789cdef0" [timeZone]="+0300" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=4658001281200x802000000000000023181031Securityfsrv01.internal.example.comS-1-5-18fsrv01$EXAMPLECORP0x3e7Security0x4380xd50C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe

I would suggest a TAC ticket for this one.

It's very strange that the [xml] portion of your windows message, does not actually contain any XML!

This is an example of what a Windows Agent message would look like

2025-06-27T14:16:32Z Win2022DC.example.com 192.168.4.130 FSM-WUA-WinLog-Security [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="60f2aaf1-9204-47c4-a578-ffcf3327ae7d" [timeZone]="-0500" [extEventRecvProto]="Windows Agent" [level]="Information" [xml]=<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>5156</EventID><Version>1</Version><Level>0</Level><Task>12810</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2025-06-27T14:16:31.2800334Z'/><EventRecordID>33107275</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='4040'/><Channel>Security</Channel><Computer>Win2022DC.example.com</Computer><Security/></System><EventData><Data Name='ProcessID'>7452</Data><Data Name='Application'>\device\harddiskvolume3\program files\fortinet\fortisiem\fsmlogagent.exe</Data><Data Name='Direction'>%%14593</Data><Data Name='SourceAddress'>192.168.4.130</Data><Data Name='SourcePort'>53495</Data><Data Name='DestAddress'>192.168.4.50</Data><Data Name='DestPort'>443</Data><Data Name='Protocol'>6</Data><Data Name='InterfaceIndex'>10</Data><Data Name='FilterOrigin'>Unknown</Data><Data Name='FilterRTID'>69894</Data><Data Name='LayerName'>%%14611</Data><Data Name='LayerRTID'>48</Data><Data Name='RemoteUserID'>S-1-0-0</Data><Data Name='RemoteMachineID'>S-1-0-0</Data></EventData></Event>

Noice the XML structure under the [xml] field..

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"/>
<EventID>5156</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-06-27T14:19:08.3715338Z"/>
<EventRecordID>33107672</EventRecordID>
<Correlation/>
<Execution ProcessID="4" ThreadID="7008"/>
<Channel>Security</Channel>
<Computer>Win2022DC.example.com</Computer>
<Security/>
</System>
<EventData>
<Data Name="ProcessID">1188</Data>
<Data Name="Application">\device\harddiskvolume3\windows\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">192.168.4.131</Data>
<Data Name="SourcePort">5353</Data>
<Data Name="DestAddress">224.0.0.251</Data>
<Data Name="DestPort">5353</Data>
<Data Name="Protocol">17</Data>
<Data Name="InterfaceIndex">10</Data>
<Data Name="FilterOrigin">Unknown</Data>
<Data Name="FilterRTID">68589</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
</Event>

Where this is yours...

[xml]=4658001281200x802000000000000023181031Securityfsrv01.internal.example.comS-1-5-18fsrv01$EXAMPLECORP0x3e7Security0x4380xd50C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe

@adem_netsys Your Siem version is 7.1.4 your collector and Agent version ? share please.

@Himanshu735 agent version is 7.2.4 as i understand.

@Himanshu735 @cdurkin_FTNT 

I'm having problems with the FSM-WUA-WinLog-Security log again. This time, the log appears cleaner than the previous one, but the parser is not successful.