Security

How to limit which servers can connect to Splunk forwarders?

Konstantinov
Engager

Hello,

Our splunkforwarder Windows service listens on port 8089 from all IP addresses by default. Can I use Splunk conf files to allow connections only from Splunk servers?

Thanks.

0 Karma
1 Solution

FritzWittwer_ol
Contributor

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

View solution in original post

FritzWittwer_ol
Contributor

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

Konstantinov
Engager

Thanks! Is there any automated way to change server.conf file on all forwarders?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...