From FortiWEB 5.4 to 5.8 the CEF logs has been changed.
The FortiWEB is sending the destination hostname with " in the field, this is not supposed to be done that way because then arcsight doesnt eliminate the " from the hostname.
Another issue it the fact that destination hostname sometime is a IP when there's already an IP in the destination address field.
The CEF field "request" is supposed to contain the protocol, hostname/IP, port and path but now there's only the path in it.
FortiWEB in the version 5.4 was way better than 5.8, is there a way to get the reasons why the logs are gettings such bad quality now ?