Hi
I would like to install a forwarder behind a firewall.
It should be a normal forwarder not a lightweight forwarder to collect some data and forward that data to the indexer.
If I'm right then the only port to open is TCP 9997.
The other ports splunk uses are
web TCP 8000 and management TCP 8089
Is this right or are there other ports too which splunk use ?
Thanks
Robert
That is correct.
8000 - Web interface
8089 - Splunkd
9997 - Receiving port for forwarded events
You likely won't need to be able to access the Splunkd port from your forwarders unless you're setting up deployment client/servers. Similarly the web interface doesn't have to be accessible from the forwarders. The only port you need to be able to access for that purpose is 9997.
That is correct.
8000 - Web interface
8089 - Splunkd
9997 - Receiving port for forwarded events
You likely won't need to be able to access the Splunkd port from your forwarders unless you're setting up deployment client/servers. Similarly the web interface doesn't have to be accessible from the forwarders. The only port you need to be able to access for that purpose is 9997.