Splunk Enterprise Certified Architect Practice Test

What is the best practice for ingesting syslog data from network devices into Splunk?

• A. Configure syslog to send the data to multiple Splunk indexers.
• B. Use a Splunk indexer to collect a network input on port 514 directly.
• C. Use a Splunk forwarder to collect the input on port 514 and forward the data.
• D. Configure syslog to write logs and use a Splunk forwarder to collect the logs.

The correct answer is: Configure syslog to write logs and use a Splunk forwarder to collect the logs.

Using a Splunk forwarder to collect logs from a configured syslog output file is considered the best practice for ingesting syslog data from network devices into Splunk for several reasons. Firstly, the Splunk forwarder is specifically designed to handle data collection while optimizing performance and resource usage. When using a forwarder, you ensure that log data is managed efficiently, allowing for minimal impact on the performance of the device generating the logs. This is particularly important in a network environment where devices have limited processing power compared to dedicated data ingestion setups. Secondly, configuring syslog to write log files provides versatility. By having the syslog data written to a file, you allow for better control and management of those logs. The forwarder can monitor the file for new entries and handle them in a reliable manner, ensuring that no data is lost even if the network connection to the indexer is temporarily unavailable. Additionally, this method allows for simplifying the ingestion process by separating log generation from log ingestion. It decouples the syslog server from Splunk infrastructure, enabling better scaling and maintenance strategies. When adjustments are needed, such as changing Splunk configurations or scaling resources, these can be handled with minimal disruption to the syslog server's operation. In summary,