GCP Professional Cloud Security Engineer Practice Question

Your organization operates dozens of Google Cloud projects. The security team must forward all VPC Flow Logs and Admin Activity audit logs to an on-premises Splunk Enterprise deployment. The solution must

deliver each log entry to Splunk within seconds of its creation,
use TLS-protected HTTP connections to the existing Splunk HTTP Event Collector (HEC),
buffer and automatically retry delivery if the HEC endpoint is temporarily unavailable, and
require as little custom code and ongoing maintenance as possible. What should you do?

Export all logs to a centralized BigQuery dataset using an aggregated sink, and use Splunk DB Connect to run SQL queries every five minutes to import new rows.
Create an organization-level aggregated log sink that routes the required logs to a Cloud Pub/Sub topic, then launch the Google-provided Dataflow "Cloud Pub/Sub to Splunk" streaming template to push events over HTTPS to the Splunk HEC endpoint with automatic retry handling.
Enable Log Analytics on each project's log bucket and instruct analysts to download JSON query results weekly from the Logs Explorer and upload them to Splunk.
Configure a dedicated log sink in each project that writes logs to Cloud Storage; schedule a daily Cloud Storage Transfer Service job to copy the objects on-premises where Splunk ingests them from a local folder.

Report Issue

Answer Description

An aggregated log sink created at the organization (or folder) level ensures that VPC Flow Logs and Admin Activity audit logs from every current and future project are captured automatically. Setting the sink's destination to a Cloud Pub/Sub topic provides near real-time, scalable log streaming. Google provides a supported Dataflow streaming template called "Cloud Pub/Sub to Splunk" that reads from the Pub/Sub subscription and posts the data to a Splunk HEC endpoint over HTTPS. The template includes built-in batching, exponential backoff, and dead-letter handling, which buffers messages and retries delivery if Splunk is temporarily unavailable, so log loss is minimized without custom code.

The other options fail to meet one or more requirements:

Exporting to Cloud Storage with scheduled transfers introduces multi-hour latency and operational complexity.
Exporting to BigQuery and polling from Splunk DB Connect adds minutes of delay and shifts query/ETL maintenance to the security team.
Manual downloads from Log Analytics are neither real-time nor low-overhead and risk human error.

Therefore, deploying an organization-level aggregated sink to Pub/Sub and using the managed Dataflow Pub/Sub-to-Splunk template best satisfies all stated constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.