Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:
FortiAnalyzer’s ingestion pipeline does not “drop” logs simply because a parser is unavailable. The study guide states that when devices send logs,“Logs received are decompressed and saved in a log file on the FortiAnalyzer disk”(with a .log extension). This establishes that the raw log is still accepted and stored on disk as part of the normal workflow.
Normalization, however, depends on having a suitable parser. The study guide explains that“FortiAnalyzer uses predefined parsers to extract key fields from ingested logs and maps them to a consistent, standardized set of field names.”It further emphasizes that“Log parsers … are central to log normalization”because they convert unstructured/native logs into a standardized schema.
Therefore, ifno matching parserexists for a given device log, FortiAnalyzer can stillstore the incoming log(it is received, decompressed, and written to disk), but it cannot perform the “extract key fields” and “map to standardized field names” steps required for normalization. In practical terms, the log remains in its native/unstructured form (not normalized), which aligns exactly with optionC.
