# Fortigate parser The Fortigate parser can parse the log messages of FortiGate/FortiOS (Fortigate Next-Generation Firewall (NGFW)). These messages do not completely comply with the syslog RFCs, making them difficult to parse. The `fortigate-parser()` of AxoSyslog solves this problem, and can separate these log messages to name-value pairs. For details on using value-pairs, see Structuring macros, metadata, and other value-pairs. The parser can parse messages in the following format: ``` ``` For example: ``` <189>date=2021-01-15 time=12:58:59 devname="FORTI_111" devid="FG100D3G12801312" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" eventtime=1610704739683510055 tz="+0300" srcip=91.234.154.139 srcname="91.234.154.139" srcport=45295 srcintf="wan1" srcintfrole="wan" dstip=213.59.243.9 dstname="213.59.243.9" dstport=46730 dstintf="unknown0" dstintfrole="undefined" sessionid=2364413215 proto=17 action="deny" policyid=0 policytype="local-in-policy" service="udp/46730" dstcountry="Russian Federation" srccountry="Russian Federation" trandisp="noop" app="udp/46730" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel="low" ``` If you find a message that the `fortigate-parser()` cannot properly parse, [contact us](), so we can improve the parser. By default, the Fortigate-specific fields are extracted into name-value pairs prefixed with `.fortigate.` For example, the devname in the previous message becomes `${.fortigate.devname}.` You can change the prefix using the prefix option of the parser. ## Declaration: ``` @version: 4.25 @include "scl.conf" log { source { network(transport("udp") flags(no-parse)); }; parser { fortigate-parser(); }; destination { ... }; }; ``` Note that you have to disable message parsing in the source using the `flags(no-parse)` option for the parser to work. The `fortigate-parser()` is actually a reusable configuration snippet configured to parse Fortigate messages. For details on using or writing such configuration snippets, see [Reusing configuration blocks](../../docs/axosyslog-core/chapter-configuration-file/large-configs/config-blocks/index.md). You can find the source of this configuration snippet on [GitHub](). ## prefix() | ---|--- Synopsis: | prefix() _Description:_ Insert a prefix before the name part of the parsed name-value pairs to help further processing. For example: * To insert the `my-parsed-data.` prefix, use the `prefix(my-parsed-data.)` option. * To refer to a particular data that has a prefix, use the prefix in the name of the macro, for example, `${my-parsed-data.name}`. * If you forward the parsed messages using the IETF-syslog protocol, you can insert all the parsed data into the SDATA part of the message using the `prefix(.SDATA.my-parsed-data.)` option. Names starting with a dot (for example, `.example`) are reserved for use by AxoSyslog. If you use such a macro name as the name of a parsed value, it will attempt to replace the original value of the macro (note that only soft macros can be overwritten, see [Hard versus soft macros](../../docs/axosyslog-core/chapter-manipulating-messages/customizing-message-format/macros-hard-vs-soft/index.md) for details). To avoid such problems, use a prefix when naming the parsed values, for example, `prefix(my-parsed-data.)` By default, `websense-parser()` uses the `.websense.` prefix. To modify it, use the following format: ``` parser { websense-parser(prefix("myprefix.")); }; ``` * * * [Fortigate parser options](../../docs/axosyslog-core/chapter-parsers/parser-fortigate/parser-fortigate-options/index.md) Last modified October 16, 2025: [Fix @version config numbers in examples (89688d87)]()