Fortigate logs consist of a Header and a Body. The header contains specific universal information associated with the event log, whereas the body contains event type-specific information. The fields are transmitted as key-value pairs (and as such, it is usually easy to parse and/or extract information).

• Date : The year, month and day of when the event occurred in yyyy-mm-dd format.
• Time : The hour, minute and second of when the event occurred in the format hh:mm:ss.
• Log_id : A five or ten-digit unique identification number. The number represents that log message and is unique to that log message. This ten-digit number helps to identify the log message.
• Type : The section of system where the event occurred. (e.g. utm/traffic/etc.)
• Subtype : The subtype category of the log message based on type.
• Level : The severity level of the event, compliant with the syslog event severity scheme.

** Note: The Debug priority level (7) is rarely used. It is the lowest log priority level and usually contains some firmware status information that is useful when the FortiGate unit is not functioning properly.

• Event Properties: Those are key-value pairs of specific information based on the event type. For a list of the available fields, data type, explanation about them and possible values if applicable, refer to:
  1. FortiOS Log Messages Reference Manual
  2. FortiOS Handbook – Logging & Reporting