I have a setup using NXlog instances as collectors in a large number of security zones.

<Input in0>
    Module   im_tcp
    Host      XXX.XXX.XXX.XXX
</Input>

but for some reason this does not capture logs coming in on port 514 from Fortinet units; all other logs (from Windows and Linux servers) are received and processed just fine.

tcpdump -nvvA host [Fortinet unit IP]

shows log traffic coming in on the NIC from the given IP address.

What am I missing?