we have a collector setup to receive logs windows servers. data traverses port 8123. the networks team sent a report saying that Splunk is the top talker (from the collector on port 8124 to the source on port 51070 which we dont use). As far as I know, no data should be traversing from a collector to the source. this is not a deployment server. is this possible?
Also you mention both port 8123 and port 8124. And you mention a port that is not used, yet your network team claims it IS being used - you have some investigation to do.
Doesn't sound Splunk's default ports, it could be another program running on the server that is talking.
From windows cmd prompt, you try something like:
netstat -aon
To find the PID of the program talking on the troublesome port. You can then use Task Manager's "Processes" to find which process is using that PID. And go from there.
MHibbin
Clarify your source server is a Splunk Indexer/Search Head/Deployment Server, Your collector is a Heavy/Universal Forwarder?
What kinds of forwarders do you have installed? When you say "collector", are you referring to the native windows log collection via WinEventLog:ForwardedEvents? Where are the splunk forwarders installed (source or collector) and to what indexer?