Is there a way to correlate FortiGate logs?

meatwad · July 15, 2025, 5:22pm

Hi there,

I'm ingesting logs from our Fortinet FortiGate VPN server and was wondering if there's a way to correlate login sessions.

The issue I'm trying to solve for is that the logs that show a successful login don't include the source.geo.country_name field and the logs that do have that field don't have any user related data.

There's a fortinet.firewall.sessionid field but it doesn't correlate the actual login session. For example, this is from one of my recent logins:

And the fortinet.firewall.sessionid field isn't even present in the logs that the successful logins:

If anyone has any suggestions, I'd love to know!

Thank you!

dot-mike · July 20, 2025, 10:39pm

Check my post Best practice for adding additional fields to transform and try creating a transformation. It duplicate the VPN sessions to a new index with start & stop time...

system · August 17, 2025, 10:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enriching Web Filter Logs with Username from Traffic Logs Using Session ID in Fortinet Logs SIEM	1	42	June 6, 2025
Unable to source and feed in the correct information in src country SIEM	6	39	September 1, 2024
Filebeat Fortinet Module + Kibana SIEM Beats filebeat	11	1675	August 11, 2020
Correlating two log source in elastic security Elastic Security	2	243	August 31, 2023
Fortigate parsing logs Logstash	1	226	January 5, 2021

Is there a way to correlate FortiGate logs?

Related topics