Hi @rob wood ,
I'm glad that you were able to resolve your issue and thank you for sharing the status of your issue so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue:
Your client has the Fortinet connector and was aiming to filter logging so that the log ingestion would not be too costly .You were considering using the CEF AMA connector to filter out the security logs from syslog but were uncertain what to configure on the data collection rule.
Solution:
Using your own internal logic you were able to filter the logs you needed.
The official documentation has some data collection best practices that are also helpful to follow in this situation.
There is also a sample rule here that you could reference, which has some Linux-specific guidance in the comments.
If you would like to update with more details about your solution I will also edit this post to include those here.
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.