When using Fortinet Fortigate Connector, some operations such as 'Get System Events' may not work correctly.

Use the playbook to apply a filter on the config of the connector as below.

• Filter Query:user=*"admin", level=*"Information"
• Start:0
• Rows:5

If it works well, it is possible to see the logs on the extracted log's results as follows:

status : success
results [5]
0 {22}
sn : 1702865880
tz : +0900
ui : ssh(192.168.11.58)
vd : root
msg : Administrator admin logged out from ssh(192.168.11.58)
date : 2023-12-18
time : 11:18:00
type : event
user : admin
dstip : 192.168.11.111
level : information
logid : 0100032003
srcip : 192.168.11.58
action : logout
method : ssh
reason : exit
status : success
logdesc : Admin logout successful
subtype : system
duration : 0
_metadata {4}
eventtime : 1702865880322877400

1 {15}
2 {22}
3 {34}
4 {34}

... (omitted)

If it does not work well, it is possible to see the logs on the extracted log's results as follows:

status: success
results [0] (empty array)

In this case, Checking the tested version of the devices referring to the documentation is recommended:

It is possible to check the tested version of devices on the document by selecting documentation on FortiSOAR as below:

It would mostly be resolved by testing the issue with devices with the same version as the document because it verified compatibility over the devices with the written version.

Check if it works well in the tested version on the document first, and then if it does not work well even though it has been tested, open a ticket with the TAC support.