Fortigate - Values with "=" are getting splited even without an existing extractor for it

Hello everyone,

I have a problem with the syslog messages from a Fortigate.
I´m using a bunch of extractors to split up the syslog message from the Fortigate into fields, which is working very good. But sometimes in the URL-Log of the Fortigate contains a random “=” & this is somehow creating another field with a random name. I cannot figure out how to stop this.
Could you please help me on this?

Here are some screenshots:

Hello & Welcome

I also have Fortigate firewalls 60,100, and 200 series. So, I need to ask a couple question.
What kind of extractors are you using (GROK, REGX, etc…) ?
What version of Graylog do you have installed?
Can you show us how you made your extractors?
Have you tried tesing that message/s out from the extractors you made to see which one might be creating this issue?
Here is an example for Regular expression.


Hope that helps.

Hello Gsmith,

I´ve just tried to swap over from syslog format to cef format, but it has the same problem…
I do not even have any extractors running in the cef format & still getting this problem:

it almost looks like Graylog is separating the full message into parts with every “=”.

Maybe it has to do with the “select input”, do you use plain text?

I´m running Graylog version 4.0.6+40b7be5.


That will happen when not using the input to ingest your logs.

Yes, our inputs are Raw/Plaintext UDP and we use ports above 1024.

1 Like

Since I swap over to Raw/Plaintext the problem is solved.
Thank you.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.