Hi All,

We collected Fortinet fortigate logs to splunk. However, the incoming logs are in CEF format but do not match with the add-on, and there is a prefix "FTNTFGT" at the beginning of the fields.

I am sharing a sample log below with you, do you need to make a config on the fortigate?


<189>Aug 12 13:35:50 xxxx CEF:0|Fortinet|Fortigate|vxxx|00xxx|traffic:forward accept|3|deviceExternalId=xxxIxxxx FTNTFGTeventtime=1660300550574125940 FTNTFGTtz=+0300 FTNTFGTlogid=xxx cat=traffic:forward FTNTFGTsubtype=forward FTNTFGTlevel=notice FTNTFGTvd=xxx src=xxx spt=57425 deviceInboundInterface=xxx FTNTFGTsrcintfrole=lan dst=xxx dpt=18 deviceOutboundInterface=xxx FTNTFGTdstintfrole=wan FTNTFGTsrccountry=xxx FTNTFGTdstcountry=xxx externalId=xxx proto=6 act=accept FTNTFGTpolicyid=xxx FTNTFGTpolicytype=policy FTNTFGTpoluuid=xxxxxxx FTNTFGTpolicyname=xxxx duser=xxxxx FTNTFGTgroup=xxxx FTNTFGTauthserver=xxx app=HTTPS FTNTFGTtrandisp=xxx sourceTranslatedAddress=xxx sourceTranslatedPort=xxxx FTNTFGTappid=xxx FTNTFGTapp=xxxx FTNTFGTappcat=xxxx FTNTFGTapprisk=elevated FTNTFGTapplist=xxx FTNTFGTduration=xxx out=4348 in=2983 FTNTFGTsentpkt=38 FTNTFGTrcvdpkt=xx FTNTFGTsentdelta=123 FTNTFGTrcvddelta=104 FTNTFGTdevtype=Router FTNTFGTmastersrcmac=xxxxx FTNTFGTsrcmac=xxxxFTNTFGTsrcserver=0

@jerryzhao