This is not CEF nor it follows the syslog pattern that the syslog input expectes.
If you are receiving only the Fortigate logs in this port, you should switch to the tcp input, if you are receiving anything else you should configure your fortinet device to send to another port that will listen with the tcp input.
To parse this you just need these filters:
filter {
dissect {
mapping => {
"message" => "<%{}>%{kvmsg}"
}
}
mutate {
strip => ["kvmsg"]
}
kv {
source => "kvmsg"
target => "[fortinet][firewall]"
}
}
This will parse your message and put the fields under fortinet.firewall, example fortinet.firewall.srcip.