* Logs are available in original format for most flexibility in subsequent .

* Integrity of each log and integrity of log sequence can be proven.

* Efficient storage with possibility to compress flat files.

The right approach:  No matter what you use logs for, you need to insure that you are working off of legitimate logs, that the logs you have stored have not changed since they were received, and that no log has been added or deleted.  So you need to store them with some sort of proof of integrity.

If you store raw logs vs. normalized logs, make sure you understand what you want to do with your logs.  If you want maximum flexibility, then work off of raw logs and apply a treatment later.  If you want logs that are immediately usable for reporting or correlation, normalized storage is fine.  But once normalized, it could be difficult or even impossible to reconstruct the original message and prove its integrity.