Help needed: FortiOS v7.x logs breaking Wazuh decoders (os_regex quoting issue)

[Dale Cooper]

Hi everyone,

Is anyone else struggling with Fortigate / FortiAnalyser decoders after a recent FortiOS update? (My is on 7.2.2) It seems the log format changed, and values like date, time, and others are now often enclosed in double quotes (e.g., date="2026-02-25" vs the old date=2026-02-25).

I am completely stuck trying to update the parent decoder. Because os_regex is so restrictive and doesn't support optional quantifiers (like ?), I can't find a reliable way to match both the old and new formats.

Even a basic prematch like this is failing for me on the new logs:

<decoder name="fortigate-firewall-v6">

    <type>syslog</type>

    <prematch>logver=\.* date=\.* \d\d\d\d-\d\d-\d\d</prematch>

</decoder>

via https://github.com/wazuh/wazuh/blob/master/ruleset/decoders/0100-fortigate_decoders.xml

The issue seems to be that os_regex doesn't handle the potential double quote after the equals sign gracefully when you're trying to maintain compatibility.

Is anyone else working on a new decoder for FortiOS 7.x, or have you found a workaround for handling these quotes without breaking everything else?

Any help or shared snippets would be greatly appreciated!

examples:

new v7

logver=704112878 timestamp=1772028757 devname="FW01" devid="FG100FTxxxx" vd="root" date="2026-02-25" time="15:12:37" eventtime=1772028757279799489 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip="==10.237.14.252==" srcname="A10" srcport=36332 srcintf="lacp1-vlan12" srcintfrole="lan" dstip="1.1.1.1" dstport=443 dstintf="port13" dstintfrole="wan" srccountry="Reserved" dstcountry="United States" sessionid=68331609 proto=6 action="close" policyid=35 policytype="policy" poluuid="61af7af4-a38e-51ec-742c-6e7dda070326" policyname="Polygon s" service="HTTPS" trandisp="snat" transip="193.179.210.102" transport=36332 appid=41469 app="Microsoft.Portal" appcat="Collaboration" apprisk="elevated" applist="application-control-v1.0" duration=2 sentbyte=7405 rcvdbyte=6305 sentpkt=14 rcvdpkt=13 utmaction="allow" countweb=1 countapp=2 srchwvendor="Samsung" devtype="Mobile" srcfamily="Phone" osname="Ubuntu" srchwversion="Samsung Galaxy A10" mastersrcmac="ac:1f:6b:80:bb:aa" srcmac="ac:1f:6b:80:00:aa" srcserver=0

old v6

logver=704092829 timestamp=1770471521 devname="FW01" devid="FG100FTxxxx" vd="root" date=2026-02-07 time=14:38:41 eventtime=1770471521819565300 tz="+0100" logid="0000000013" type="traffic" subtype="forward" level="notice" srcip===10.237.14.252== srcport=43590 srcintf="lacp1-vlan12" srcintfrole="lan" dstip=10.237.4.50 dstport=53 dstintf="lacp1-vlan4" dstintfrole="lan" srccountry="Reserved" dstcountry="Reserved" sessionid=438227544 proto=17 action="accept" policyid=34 policytype="policy" poluuid="61ae3c16-a38e-51ec-d595-4aa56011c3ca" policyname="Polygon s" dstuser="FORTIUSER" service="DNS" trandisp="noop" appcat="unscanned" duration=180 sentbyte=54 rcvdbyte=54 sentpkt=1 rcvdpkt=1 mastersrcmac="ac:1f:6b:80:3d:ba" srcmac="ac:1f:6b:80:3d:ba" srcserver=0 masterdstmac="00:15:5d:00:aa:bb" dstmac="00:15:5d:00:aa:bb" dstserver=0

[Stuti Gupta]

Hi Dale

You can resolve this issue by changing the existing default decoder.

Start by copying the default decoder file into the custom decoder directory using:

cp /var/ossec/ruleset/decoders/0100-fortigate_decoders.xml /var/ossec/etc/decoders/0100-fortigate_decoders.xml

Next, edit the Wazuh configuration file (/var/ossec/etc/ossec.conf) to exclude the default decoder so the custom one takes precedence. Add the following inside the <ruleset> block:

<ruleset>
<decoder_exclude>ruleset/decoders/0100-fortigate_decoders.xml</decoder_exclude>
</ruleset>

Now open the copied decoder file:

vi /var/ossec/etc/decoders/0100-fortigate_decoders.xml

Now, locate the FortiGate firewall-v6 decoder and add the double quotes like, "\d\d\d\d-\d\d-\d\d". This will resolve the issue. The decoder will be like:

<decoder name="fortigate-firewall-v6">
  <type>syslog</type>

  <prematch>date="\d\d\d\d-\d\d-\d\d" time=\.+logid=\.+type=\.+subtype=\.+</prematch>
</decoder>

Restart the wazuh-manager: systemctl restart wazuh-manager 
Refer to https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html

Let me know if you need any further help.