What is the best practice for ingesting this data into Splunk?

A new Splunk customer is using syslog to collect data from their network devices on port 514.

What is the best practice for ingesting this data into Splunk?
A . Configure syslog to send the data to multiple Splunk indexers.
B . Use a Splunk indexer to collect a network input on port 514 directly.
C . Use a Splunk forwarder to collect the input on port 514 and forward the data.
D . Configure syslog to write logs and use a Splunk forwarder to collect the logs.

View Answer

Answer: D

Explanation:

The best practice for ingesting syslog data from network devices on port 514 into Splunk is to configure syslog to write logs and use a Splunk forwarder to collect the logs. This practice will ensure that the data is reliably collected and forwarded to Splunk, without losing any data or overloading the Splunk indexer. Configuring syslog to send the data to multiple Splunk indexers will not guarantee data reliability, as syslog is a UDP protocol that does not provide acknowledgment or delivery confirmation. Using a Splunk indexer to collect a network input on port 514 directly will not provide data reliability or load balancing, as the indexer may not be able to handle the incoming data volume or distribute it to other indexers. Using a Splunk forwarder to collect the input on port 514 and forward the data will not provide data reliability, as the forwarder may not be able to receive the data from syslog or buffer it in case of network issues. For more information, see [Get data from TCP and UDP ports] and [Best practices for syslog data] in the Splunk documentation.