FortiSIEM typically receives syslog over UDP port 514, not TCP port 9999.

Can syslog messages be sent to FortiSIEM over TCP port 9999?

• A. Yes
• B. No
• C. Only in certain configurations
• D. Only for certain devices

Answer: (B)

Syslog messages cannot be sent to FortiSIEM over TCP port 9999 because FortiSIEM expects syslog messages to be sent over UDP by default, typically using port 514. While there is the capability to configure FortiSIEM to receive syslog messages over TCP, the specific mention of TCP port 9999 does not align with common configurations or practices typically used in FortiSIEM setups. The specification of other options, such as configurations or device-specific settings, does not apply here because the commonly accepted standard for syslog communication with FortiSIEM is through the default port of 514 using UDP. Any deviation from this may require specific knowledge of configurations that are not standard practice. Thus, the notion that syslog messages can be sent to FortiSIEM specifically over TCP port 9999 is incorrect.

Can syslog messages be sent to FortiSIEM over TCP port 9999? The short answer is no. But the real story is a little more nuanced, and it’s worth unpacking so you’re not chasing a red herring when you’re wiring up Fortinet logs in a real network.

Let me set the stage with the basics, because this stuff comes up more often than you’d think. Syslog is a simple, lightweight way for devices to tell a centralized collector what’s going on. FortiSIEM, Fortinet’s security information and event management solution, sits in the middle of that story and wants clean, reliable feeds from your devices. Historically, syslog has a default habit: send messages over UDP port 514. It’s fast, it’s simple, and for many deployments, it just works.

So why is port 9999 not the right answer here? For one thing, 9999 isn’t a standard port for FortiSIEM syslog input. The common, out-of-the-box expectation is UDP 514. That doesn’t mean you can’t bend things to your architecture, but it does mean a mismatch like “TCP over 9999” is generally not aligned with how FortiSIEM is designed to receive the bulk of its syslog data by default. If you’ve seen a question or a setup that points to 9999, it’s a red flag to pause and verify what’s really being asked or what the environment actually uses.

Two transport modes sit at the heart of this discussion: UDP vs TCP. Here’s the practical difference in plain terms.

• UDP (the default): Fire-and-forget logs. They’re tiny packets, sent quickly, with no guarantee every message arrives. In many logging workflows, that’s acceptable because you’re collecting vast streams of data, and the magnitude of logs can be so large that a tiny percentage of loss isn’t catastrophic for correlation or alerting. FortiSIEM leverages this efficiency, which is why UDP 514 is the typical starting point.

• TCP (the more deliberate cousin): Reliable delivery. If a log message doesn’t arrive, TCP provides a mechanism to retry and ensures the payload is delivered in order. That reliability comes at a cost: more overhead, slightly more complex configuration, and often the need to choose a specific port that both the sender and FortiSIEM agree on. If your environment demands high assurance—perhaps for critical alerts or in networks where packet loss is unacceptable—TCP becomes attractive. FortiSIEM can be configured to receive syslog over TCP, but port choices and security considerations matter here.

The crux of the matter is this: the “TCP vs UDP” decision isn’t just about speed or stubborn port trivia. It’s about reliability, network design, firewall policies, and how you want to handle missing data. If you settle on TCP for FortiSIEM, you’ll typically coordinate with your SIEM admin to pick a suitable TCP port and ensure the log sources know where to reach it, along with any security wrappers (like TLS) if you’re moving sensitive logs over the wire. However, that doesn’t mean port 9999 becomes a universal standard for FortiSIEM syslog inputs.

A quick digression about ports and practical setup can help keep things grounded. Ports are how devices distinguish one service from another on the same IP address. A given port number is less about the device and more about the service it’s offering. In the real world, you’ll see a lot of teams sticking to well-known, documented ports for syslog, SNMP traps, or application logs. The risk you run when you pick an offbeat port—like 9999—is that it’s easy to forget to open it on firewalls, easy to misconfigure on devices, and harder for operators to remember during incident response. So even if you’re tempted by a “clean, memorable” port number, the better move is to align with the established pattern in your environment and document it clearly.

If you’re configuring FortiGate, FortiAnalyzer, or FortiSIEM in a mixed ecosystem, here are some practical, field-tested thoughts to keep in mind.

• Start with UDP 514 as the baseline. It’s the most common path for log forwarding into FortiSIEM and avoids a lot of friction with default rules many admins already have in place.

• If you need TCP for reliability, know where FortiSIEM is listening. You’ll set up the devices to point to the FortiSIEM TCP input and ensure the chosen port is allowed through any intervening firewalls. You’ll also confirm whether TLS is required, which adds encryption but also more configuration steps on both sender and receiver sides.

• Avoid port 9999 unless there’s a documented, organization-specific reason for it. If someone tells you to use 9999, ask for the exact rationale and the accompanying firewall and security controls. It’s not a best practice in FortiSIEM contexts, and it tends to be a source of misconfiguration.

• Validate end-to-end. After you set the input, push a small set of test logs from a known device and confirm they appear in FortiSIEM. Watch for timing, packet loss, and any parsing rules that might be affected by transport differences.

Now, what does that mean for your day-to-day work? If you’re responsible for log architecture, you’ll want a few concrete takeaways:

• Always document the transport mode and port in use. A quick internal diagram or a one-pager helps teammates understand how logs flow, where they terminate, and what to troubleshoot if something goes missing.

• Build redundancy into the plan. With UDP, you accept a small chance of loss; with TCP, you get reliability but potential latency. In critical environments, some teams employ a combination: UDP for high-volume, low-stakes logs and TCP/TLS for high-priority sources.

• Keep security tight. If you move to TCP or TLS for syslog, ensure certificates, key management, and trust relationships are clear. Logs can contain sensitive information, so encryption isn’t just a nicety—it’s practical protection.

• Test, then test again. Simulate failures: a firewall rule change, a link hiccup, a burst of events. How does FortiSIEM handle that? Do you get gaps, duplicates, or delays? Document those outcomes so you can tune thresholds and parsing later.

To bring some real-world flavor into this, imagine you’re integrating a mix of devices: FortiGate firewalls, servers, and a handful of third-party apps. The FortiGate logs might flood the FortiSIEM collector via UDP 514 because that’s simple and quick. Some critical servers—perhaps file servers or domain controllers—might benefit from a TCP-based path to reduce the chance of dropped events during peak hours. In that hybrid setup, you wouldn’t expect to use a stray port like 9999 for all devices. You’d map each class of devices to a transport and port that makes sense, then ensure your security controls and network rules reflect that mapping.

Let’s circle back to the central question one more time with clarity: The correct answer is No. Syslog messages cannot be sent to FortiSIEM over TCP port 9999 by default, because FortiSIEM expects syslog messages to be sent over UDP, typically using port 514. There is the capability to configure FortiSIEM to receive syslog messages over TCP, but the idea of using TCP port 9999 runs counter to standard practices and is not aligned with how the majority of FortiSIEM deployments are set up.

If you’re curious about the why behind this, here’s the essence: standardization helps teams move fast. When everyone uses UDP 514 for syslog, you don’t have to memorize a dozen port numbers; you can rely on a well-known pattern. That doesn’t mean it’s the only way to do things—flexibility matters in real networks—but it does mean that a port like 9999 requires a documented, deliberate shift in strategy, not a casual tweak.

In closing, here’s a practical mindset you can carry forward:

• Start with the default and understand why it’s there. FortiSIEM’s UDP-based syslog intake is simple and scalable for many environments.

• If you must change the transport, know your reasons, pick ports carefully, and align the entire stack. The moment you introduce a nonstandard port, you owe yourself a stronger configuration and testing plan.

• Keep it relatable. Logs aren’t just data; they’re the heartbeat of your security operations. The way you transport them matters for reliability, speed, and, ultimately, your ability to respond when something goes wrong.

If you want to explore this topic further, look for Fortinet’s documentation and community guides on syslog inputs and FortiSIEM ingestion. You’ll find notes that echo this balance between simplicity and reliability, and they’ll give you concrete examples of how teams approach UDP versus TCP in real-life deployments. And yes, you’ll see the same refrain echoed: UDP 514 is the common starting point, and any deviation needs clear justification and careful planning.

So next time the question pops up—can syslog be sent over TCP port 9999 to FortiSIEM?—you’ll have a grounded, practical answer and a sense of the broader considerations that sit behind it. It’s not just about a port number; it’s about the story your log data tells and how reliably you hear it when it matters most.