What functionality does collector mode lack that is present in analyzer mode?

In the context of Fortinet's FortiAnalyzer, collector mode is designed primarily for data collection and log storage, while analyzer mode offers enhanced functionalities for log analysis and reporting. The functionality that distinguishes analyzer mode from collector mode is Fortiview.

Fortiview provides a graphical dashboard that allows users to visualize and analyze logs in real-time, offering insights into network activity, threats, and performance metrics. This feature is essential for security operations as it helps administrators quickly interpret log data and take action based on anomalies or trends. In collector mode, this in-depth analysis capability is not available; it focuses mainly on the gathering of logs without the advanced visualization and real-time monitoring offered by Fortiview.

While collector mode can handle log aggregation and might support data imports and the generation of alerts, the interactive data visualization and detailed analysis provided by Fortiview is unique to analyzer mode, making it a crucial tool for security analysts needing to interpret large volumes of log data effectively.