FortiGate log analysis: what to actually alert on

A single busy FortiGate can emit 200 GB of logs a day. Nobody reads that. The skill is not collecting more — it is knowing the handful of patterns that justify an alert and suppressing the rest. Here is where the signal actually lives.

The high-signal events

• Brute-force on auth surfaces. Repeated failed logins against the VPN portal, admin interface or published services from one source in a tight window. Correlate with a success that follows — that’s the one that matters.
• Mass-deny bursts. A spike in denied sessions from a single source is a scan or a misconfigured host. The shape (many destinations, sequential ports) tells you which.
• Exposed admin surfaces. Management interfaces reachable from untrusted zones. This is a finding even with zero attempts against it yet.
• Threat-intel hits. Traffic to or from IPs on a current intel feed — outbound is often more interesting than inbound, because it can mean a host already compromised.
• IPS / UTM signature hits. Especially exploit-probe signatures against your web tier. Group them by source to separate a scanner from a targeted attempt.

The noise to suppress

Most allowed-traffic logging is volume, not signal. Suppress or sample it. Whitelist your own monitoring scanners and known partner IPs early, or they’ll generate false-positive bursts that bury the real ones. Device-health chatter belongs on a separate, lower-severity track.

Why correlation beats search

A denied login is noise. A denied login burst followed by a success, from an IP seen in threat intel, against an admin surface that shouldn’t be exposed — that’s an incident. The value is in joining those events across sources and rolling them into one item a human can act on, not in a faster search box.