splunk seems to be sending data from a collector t...

oxxo · ‎10-03-2012

we have a collector setup to receive logs windows servers. data traverses port 8123. the networks team sent a report saying that Splunk is the top talker (from the collector on port 8124 to the source on port 51070 which we dont use). As far as I know, no data should be traversing from a collector to the source. this is not a deployment server. is this possible?

Ayn · ‎10-03-2012

Also you mention both port 8123 and port 8124. And you mention a port that is not used, yet your network team claims it IS being used - you have some investigation to do.

MHibbin · ‎10-03-2012

Doesn't sound Splunk's default ports, it could be another program running on the server that is talking.

From windows cmd prompt, you try something like:

netstat -aon

To find the PID of the program talking on the troublesome port. You can then use Task Manager's "Processes" to find which process is using that PID. And go from there.

MHibbin

bmacias84 · ‎10-03-2012

Clarify your source server is a Splunk Indexer/Search Head/Deployment Server, Your collector is a Heavy/Universal Forwarder?

alacercogitatus · ‎10-03-2012

What kinds of forwarders do you have installed? When you say "collector", are you referring to the native windows log collection via WinEventLog:ForwardedEvents? Where are the splunk forwarders installed (source or collector) and to what indexer?

splunk seems to be sending data from a collector to the source (server)

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!