back to the rem-syslog server, you can do a diag snifffer packet " interface-name" ' port 15000' and see if any traffic is sourced from the firewall to the host you can also do that on the server quite easily. Make sure logging is enabled If you see traffic, than check the unix facilities local7 o kill -HUP the syslogd daemon. Make sure the process can write to the file as a permission check ( assuming unix ) chmod the file to 777 as temp and see if files are written. If you see syslog data write than you know it' s a daemon write-accesss/ownership issue. btw splunk is good

OP, are 100% logging enabled and did you sniffer on the fortigate or the remote syslog server ? Can you ping the log host 192.168.222.111 ?

Now I' m really confused, we have 2 screen shots 10.0.17 and 10.0.14 .94 which is it? Now to diagnose this, we need you double check port and ip_address. And provide the following; show log syslogd filter show log syslogd setting show log memory Next, set up a sniffer to list on the port that you have syslog running on < 15000 > ???? And then execute a logging event like a failed admin login or even easier execute a diag test log You should see a syslog packet generated and sent to the syslog. i.e FG200B1G02811942 # diag log test generating a system event message with level - warning generating an infected virus message with level - warning generating a blocked virus message with level - warning generating a URL block message with level - warning generating a DLP message with level - warning generating an attack detection message with level - warning generating an application control IM message with level - information generating an application control VOIP message with level - information generating an antispam message with level - notification generating an allowed traffic message with level - notice generating a wanopt traffic log message with level - notification generating a HA event message with level - warning