Possible answer as to why D is not correct: When you fetch archived logs from the server, its done for the purpose of analyzing and/or running reports on them. I believe the client stores these archived logs separately from its own normal archived logs, and manages them independently.

B and D are correct. Ref: FortiAnalyzer_7.4_Analyst_Study_Guide-Online.pdf pag 84

A. (F) In FortiAnalyzer Analyst 7.2 Study Guide, p. 78 indicates that it must be the Device Manager but not necessarily a Local Device Manager. B. (V) In FortiAnalyzer Analyst 7.2 Study Guide, p. 78 indicates that you can choose filters that include logs from specific devices (it can be a single device) C. (V) In FortiAnalyzer Analyst 7.2 Study Guide, p. 77 indicates in the image of point number one that "must have Super_User or Standard_User profile" D. (F) In FortiAnalyzer Analyst 7.2 Study Guide, p. 77 indicates the following statement "The FortiAnalyzer device that fetches logs operates as the fetch client, and the other Fortinalyzer device that send logs operates as the fetch server". They focus on the devices, they never mention such terms for archive logs.

After revisiting this question, I suppose that it is broken. A copule of days I've explained about answers B and D such as correct, but answer A is also true: The fetch client can retrieve logs from devices that are not added to its local Device Manager, I did it on lab. If we Pass through the understanding about *maybe* answer D is incorrect, if we consider "...become archive logs in the client" that original logs will be moved from fetch server to client, and that's don't occurr.

B and D D: The fetch server administrator user name and password must be for an administrator with either a Standard_User or Super_User profile. https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/785943/fetching-profiles

B and D are correct About answer B, check it on FortiAnalyzer Analyst 7.2 Study Guide, p. 77 and https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/651442/log-fetching About answer D, I've just tried the functionally on lab and on production, and I had just archived logs on FortiAnalyzer client. To see analytics logs, it's necessary wait the rebuild ADOM.

https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/651442/log-fetching The fetching FortiAnalyzer can query the server FortiAnalyzer and retrieve the log data for a specified device and time period, based on specified filters. https://docs.fortinet.com/document/fortianalyzer/7.4.2/administration-guide/559986/fetch-requests The data policy for the local ADOM on the client must also support fetching logs from the specified time period. It must keep both archive and analytics logs long enough so they will not be deleted in accordance with the policy. For example: Today is July 1, the ADOM's data policy is configured to keep analytics logs for 30 days (June 1 - 30), and you need to fetch logs from the first week of May. The data policy of the ADOM must be adjusted to keep analytics and archive logs for at least 62 days to cover the entire time span. Otherwise, the fetched logs will be automatically deleted after they are fetched.

FAZ Analyst 7.2 Study Guide Page: 77-78

B & C FAZ Analyst 7.2 Study Guide Page: 77-78

A & B correct

B & C, Page 168 , FAZ_7.0

B & C, Page 168 , FAZ_7.0

- retrieve archive logs from another FAZ and run queries or reports on those archived logs - you can do the log fetching but you won't be able to see the logs if you do not add the FAZ to the Device Manager (pages 77-78) So I think B and D are more accurate answers.

A: Using FortiAnalyzer, you can enable log fetching. This allows FortiAnalyzer to fetch the archived logs of specified devices from another FortiAnalyzer B: During the request, you can choose filters to include: - Logs from a specific device - Logs of specific types and values - Logs from a specific time frame Reference: FortiAnalyzer Analyst Study Guide for FortiAnalyzer 7.2