Share via

Unparsed FortiGate logs issue

Youssef Helmy 0 Reputation points
2026-03-05T09:20:25.7433333+00:00

Hello,

I have a problem where the enabled CEF via AMA data connector outputs the ingested logs like this:

User's image

Azure Monitor
Azure Monitor

An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Suchitra Suregaunkar 11,805 Reputation points Microsoft External Staff Moderator
    2026-03-09T20:23:24.37+00:00

    Hello Youssef Helmy

    Thank you for posting your query on Microsoft Q&A platform.

    Could you please share us the below details?

    1. “Are you using the new Azure Monitor Agent (AMA) or the older Log Analytics agent? Which version?”
    2. “Please paste the relevant portion of your syslog/CEF config (e.g., /etc/azuremonitoragent/… or MMA config).”
    3. “Can you share a raw log message example as it appears on the Linux/Windows host before it’s ingested?”
    4. Which data collection agent and version are you using (Azure Monitor Agent, MMA, etc.)?
    5. What version of the AMA CEF connector or extension have you installed?
    6. How have you configured the syslog/CEF collection (include your YAML or JSON config snippet)?
    7. Can you share a text sample of the raw syslog message as it arrives on the host (with any sensitive fields redacted)?

    Thanks,
    Suchitra.

    0 comments
  2. Q&A Assist
    2026-03-05T09:20:56.12+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    FortiGate logs ingested through the CEF via AMA connector appear in the CommonSecurityLog table. Any CEF key–value pairs that Microsoft Sentinel does not map to a standard CommonSecurityLog column are stored in the AdditionalExtensions field.

    In the screenshot, the FTNTFGT* fields are vendor‑specific Fortinet keys that do not have built‑in mappings, so they are expected to appear concatenated in AdditionalExtensions rather than in separate columns. This does not indicate a parsing failure, only that these fields are unmapped.

    To validate that the logs are correctly parsed as CEF and not raw syslog:

    1. Confirm the CEF header format on the FortiGate side matches the required structure: 
         <Priority>Timestamp Hostname CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
      For example: 
         Jan 18 11:07:53 host CEF:0|Vendor|Product|1.0|100|EventName|5|src=10.0.0.1 dst=10.0.0.2
      Ensure:
      • CEF:0| is present.
      • All seven header fields are present and separated by |.
      • Any |, \, or = characters in values are properly escaped (\|, \\, \=).
    2. Verify that the Data Collection Rule on the AMA forwarder is configured for CEF: 
         sudo grep -i -r "SECURITY_CEF_BLOB" /etc/opt/microsoft/azuremonitoragent/config-cache/configchunks
      Presence of SECURITY_CEF_BLOB confirms that CEF events are being collected.
    3. If needed, enable AMA diagnostic tracing temporarily to confirm that events are recognized as CEF and uploaded correctly: 
         sudo vim /etc/default/azuremonitoragent
   # add -T 0x2002 to MDSD_OPTIONS
   sudo systemctl restart azuremonitoragent
   sudo tail -f /var/opt/microsoft/azuremonitoragent/log/mdsd.info | grep -a "CEF"
      Then remove the trace flag after troubleshooting to avoid excessive logging.

    If the CEF header is valid and SECURITY_CEF_BLOB is present, the behavior where Fortinet‑specific fields appear in AdditionalExtensions is by design. Queries can extract these values from AdditionalExtensions using KQL parsing functions if needed.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.