So I spend some time on this, because it might be useful for myself as well at some point 
.
The generic text filter is not a Regex query. It's only supporting the tilde function (~ and !~) from the glibc regex library. So no full Regex support! The other supported operators are documented here: https://kb.fortinet.com/k....do?externalID=FD36097
I understand you are looking for a Forward logging filter.. but I only got it working within the Event Handler.
The forward logging filter looks bugged to me. I suggest you open a case at Fortinet. Since the generic text filter works fine in the event handler, I don't see any reason why it should be different in the syslog forwarding filter settings.
Also the text field size of just 2-3 chars is very strange. Sending syslog events with Event Handler: In my case I tried to capture login events on a switch sending syslog events. The syslog entry looks like this on FortiAnalyzer: date=2020-04-27 time=20:07:44 idseq=191172792102682666 itime=2020-04-27 22:07:44 euid=1 epid=1 dsteuid=1 dstepid=1 level=warning type=generic msg=[style="background-color: #ffff00;"] Apr 27 20:07:53 1.2.3.4 03362 auth: AM2: User 'admin' login from 1.2.3.5 [/style]device_id=SYSLOG-AABBCCDD dtime=2020-04-27 20:07:44 itime_t=1588018064 devname=SWITCH01 The Generic Text Filter is: msg ~ "login from"
Your query would be: msg ~ "TCP access denied by ACL from"
This will capture all syslog messages containing the string 'login from'. And send an alert to an external syslog server.
In case you decide to open a fortinet support ticket, please let me know what the issue was.
