Splunk Enterprise Security Certified Analyst — Question 66

A customer has a network device that transmits logs directly with UDP or TCP over SSL. Using PS best practices, which ingestion method should be used?

Answer options

• A. Open a TCP port with SSL on a heavy forwarder to parse and transmit the data to the indexing tier.
• B. Open a UDP port on a universal forwarder to parse and transmit the data to the indexing tier.
• C. Use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier.
• D. Use a syslog server to aggregate the data to files and use a universal forwarder to read and transmit the data to the indexing tier.

Correct answer: D

Explanation

Option D is correct because using a syslog server to aggregate logs and a universal forwarder to transmit the data ensures efficient handling of log data, particularly when using UDP or TCP over SSL. Option A is incorrect as a heavy forwarder is not necessary for this scenario. Option B lacks the capability of file aggregation, which is essential for structured log management. Option C uses a heavy forwarder unnecessarily, which can complicate the setup.