Hi,
I know your question is kind of old, but I just configured Splunk 6.2.1 to receive logs from Fortigate 5.2.2. It is working fine using the generic_single_line setting. Splunk figures out the messaging no problem. In my Global config:
config log syslogd setting
(setting) # show
config log syslogd setting
set status enable
set server "w.x.y.z"
set port 1514
end
That being said I had configured syslog in a 4.x version when it could be done from the GUI. But I took down my splunk server and only reconfigured it again recently.
If you are using VDOMS (I am) you can separate out the messages by vdom using the vd=vdomname field.
Hope this helps you out.
Paul