Have you done a a tcpdump? just to make sure the issue is not with the sender. What's  interesting is the logs in the image seem to be missing several line breaks between events. the <189>date=... should be in the beginning of the event and you have more than 1 occurrence per line meaning more than one event in the same line. Also the number before the <189> (e.g. 605) looks like a line/event count and I don't think that's expected from this source. Are you receiving this directly from the Fortigate or do you have anything in between? Something I found that seems to be related but ended up not being a syslog-ng issue: https://lists.balabit.hu/pipermail/syslog-ng/2022-August/026516.html ... View more