How are raw and archive logs distributed?

The distribution of raw and archive logs is primarily organized on a per device basis. This means that logs generated by individual devices are collected and stored according to their respective sources. This method allows for efficient management and retrieval of logs, as it correlates closely with the operational environment of the devices. By focusing on logs from specific devices, administrators can more easily troubleshoot issues, analyze performance, and maintain security protocols.

Considering the other options, they suggest distributions based on user roles, timing, or across multiple administrative domains (ADOMs), which do not accurately represent the standard practice for log management in FortiAnalyzer. Logs are typically not categorized by user role, as this approach would complicate the logging structure and hinder the ability to address issues directly related to specific devices. Additionally, distributing logs on a weekly basis is not practical since logging happens continuously in real-time, making such periodic grouping inefficient for monitoring and response. Lastly, while it is possible to have logs associated with different ADOMs, this is more about organizational structure rather than the basic mechanism of log distribution itself. Instead, the core approach remains focused on the device level for raw and archive logs.