QUESTION

If a log source in Panther receives logs without any attached schemas, does it mean that those logs will be received but not ingested, resulting in the log source discarding them?

ANSWER

 

If the log source does not have an associated schema, the logs will not be ingested. Whether these logs are discarded by the log source depends on the data transport type. For sources which support schema inference, such as HTTP and S3, the logs are saved in their raw form internally for 14 days before being discarded. However, if the transport type does not support schema inference, the incoming data is immediately discarded.