The best practice for ingesting data from a network device that transmits logs directly with UDP or TCP over SSL is to use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier. This method has several advantages, such as:
It reduces the load on the network device by sending the data to a dedicated syslog server.
It provides a reliable and secure transport of data by using TCP over SSL between the syslog server and the heavy forwarder.
It allows the heavy forwarder to parse and enrich the data before sending it to the indexing tier.
It preserves the original timestamp and host information of the data by using the syslog-ng or Splunk Connect for Syslog solutions.
Therefore, the correct answer is C, use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier. References :=
Get data from network sources
Use Splunk Connect for Syslog
Configure event processing
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit