Exam NSE5_FAZ-7.2 topic 1 question 5 discussion

Study Guide page 77 & 78 A & B are correct C is false as you can perform log fetching with standard user D is false as it s not specify anywhere that archieved logs in the server will be archived logs in the client. Logs are retrieve to run queries and reports on forensic analysis.

The answer es AB, FortiAnalyzer 7.2 Analyst Self-Paced says: "You can do the log fetching before adding the devices to Device Manager, but you won't be able to see the logs"

You can fetch logs without the device in device manager. However, to view the logs you need to add it. Answer is A, B.

For me its a trick question, because the answer C "The fetching profile must include a user with the Super_User profile." give us a sensation that only Super User profile must be include, but in fact we can include Standard User as well, because of that I believe answer D is more accurable

Possible answer as to why D is not correct: When you fetch archived logs from the server, its done for the purpose of analyzing and/or running reports on them. I believe the client stores these archived logs separately from its own normal archived logs, and manages them independently.

B and D are correct. Ref: FortiAnalyzer_7.4_Analyst_Study_Guide-Online.pdf pag 84

A. (F) In FortiAnalyzer Analyst 7.2 Study Guide, p. 78 indicates that it must be the Device Manager but not necessarily a Local Device Manager. B. (V) In FortiAnalyzer Analyst 7.2 Study Guide, p. 78 indicates that you can choose filters that include logs from specific devices (it can be a single device) C. (V) In FortiAnalyzer Analyst 7.2 Study Guide, p. 77 indicates in the image of point number one that "must have Super_User or Standard_User profile" D. (F) In FortiAnalyzer Analyst 7.2 Study Guide, p. 77 indicates the following statement "The FortiAnalyzer device that fetches logs operates as the fetch client, and the other Fortinalyzer device that send logs operates as the fetch server". They focus on the devices, they never mention such terms for archive logs.

After revisiting this question, I suppose that it is broken. A copule of days I've explained about answers B and D such as correct, but answer A is also true: The fetch client can retrieve logs from devices that are not added to its local Device Manager, I did it on lab. If we Pass through the understanding about *maybe* answer D is incorrect, if we consider "...become archive logs in the client" that original logs will be moved from fetch server to client, and that's don't occurr.

B and D D: The fetch server administrator user name and password must be for an administrator with either a Standard_User or Super_User profile. https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/785943/fetching-profiles

B and D are correct About answer B, check it on FortiAnalyzer Analyst 7.2 Study Guide, p. 77 and https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/651442/log-fetching About answer D, I've just tried the functionally on lab and on production, and I had just archived logs on FortiAnalyzer client. To see analytics logs, it's necessary wait the rebuild ADOM.

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/651442/log-fetching The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/559986/fetch-requests The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM's data policy is configured to keep analytics logs for 30 days (June 1 - 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

FAZ Analyst 7.2 Study Guide Page: 77-78

B & C FAZ Analyst 7.2 Study Guide Page: 77-78

A & B correct

B & C, Page 168 , FAZ_7.0

B & C, Page 168 , FAZ_7.0

- retrieve archive logs from another FAZ and run queries or reports on those archived logs - you can do the log fetching but you won't be able to see the logs if you do not add the FAZ to the Device Manager (pages 77-78) So I think B and D are more accurate answers.