I dont know if this post is closed but i put my doubt here.
I have similar issue than the others. I can´t see the forward traffic that is going trouhgt the fortigate (60E) in the GUI, but i have configured the syslogd to send the logs to an ELK server and i can see them getting rigth.
Here some information about the config:
FGT60E (global) # config log syslogd setting
FGT60E (setting) # get
status : enable
server : 192.168.X.X
reliable : disable
port : 5514
csv : disable
facility : local7
FGT60E (global) # config log syslogd filter
FGT60E (filter) # get
severity : information
forward-traffic : enable
local-traffic : enable
multicast-traffic : enable
sniffer-traffic : enable
anomaly : enable
voip : enable
filter-type : include
The D & E models that do not have local storage, have logging limitations. Unfortunately Fortinet doesn't seem to document this, but ran into this doing a POC on a FG200E and couldn't for the life of me figure out why logging wasn't working, and then remembered that it had no local storage, only option was logging to memory (or off-box). Swapped it for a FG201E and the on-box logging all worked as expected.
It would be great if Fortinet would write a blurb about this in their docs and save people a lot of wasted time trying to get logging functionality to work on their D and E series boxes that do not have local storage.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.