Getting Data In

Can someone please explain to me why Splunk Universal Forwarder uses port 8089?

rabel001
Explorer

Can someone please explain to me why the Splunk Universal Forwarder uses port 8089 and what problems would arise if I disabled it?

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

It's a management port. It allows remote administration of the forwarder, once the default password is changed. It shouldn't hurt anything to disable it.

View solution in original post

bandit
Motivator

Port 8089 is the default Splunk management port on all Splunk instances including the Universal Forwarder. If you never change the default password on a Universal forwarder, authentication when acessing port 8089 will be blocked.

A use case for changing the password and leaving the port up would be to allow you run remote debug commands on the forwarder such as the one below to understand what files are being monitored. Often Splunk admins do not have direct access to forwarders. It is also possible to run remote configuration commands through the rest API URL.

# Display status on the tailing processor where localhost is replaced with the hostname or IP of the forwarder
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Port 8089 is not needed on a forwarder for sending event data out to indexers or for communicating with a deployment server. In the case of deployment server, the forwarder initiates contact with the deployment server as a client. Only the deployment server needs to have the 8089 listening port up.

alacercogitatus
SplunkTrust
SplunkTrust

It's a management port. It allows remote administration of the forwarder, once the default password is changed. It shouldn't hurt anything to disable it.

jrodman
Splunk Employee
Splunk Employee

The management port is not limited to remote management. it's how the forwarder is managed locally as well when it is running by the splunk command line tool. I would suggest considering firewalling it unless you truly need the peace of mind of the ports being disabled entirely.

0 Karma

rabel001
Explorer

I disabled port 8089 in server.conf, deleted the folders received from the deployment server, restarted the service, made sure that port 8089 was not listening (by issuing ), the port was indeed NOT listening, and the server still received it's configurations from the deployment server.

alacercogitatus
SplunkTrust
SplunkTrust

I think the forwarder contacts the deployment server - but I can't be sure about in Splunk 6 - There were changes but I haven't caught up yet.

rabel001
Explorer

Oh, thank you so much. That explains so much.

One other question is, does the deployment server use the API at all for deployment?

0 Karma

rabel001
Explorer

I've set a new password, and when I browse to http://localhost:8089, all I see is the output of xml files.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Once you change the default password - you can hit it in a web browser using the REST api. https://your_forwarder:8089/. You can stop/start, check inputs to make sure it's configured properly.

rabel001
Explorer

What can be remotely administered using the port and how? I'm at a loss. Splunk is all new to me, and my boss wants me to get it all locked down because we got hit by a pentest big time because of Splunk.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...