Security

firewall access for splunk servers

shawnedwards
New Member

Hi All -

Could you confirm that I have the connectivity ports correct or if I’m missing any? I just want to use the default port configurations at this point. I have installed splunk on a single server and will be installing the universal forwarder to 3 other servers to forward the data back to the main server.

from Desktop Web Clients to Main Splunk Server using http on port 8000

from Client Servers to Main Splunk Server using tcp/udp on port 9997 for universal forwarder
from Client Servers to Main Splunk Server using tcp on port 8089 for Management Communication ***Does this one need to go back to those client servers with UF?

Thanks!

Tags (1)
0 Karma

bmacias84
Champion

That all depends. Are you planning to enable remote cli on your forwarders, if so you will need to allow 8089 from your Splunk Server. You will also have to change the default password on the forwarders to enable this.

TCP/8089 - deployment server, distributed search, remote cli, pooled search heads (Search head to indexers) (Deployment client to Deployment Server) (between distributed search members) (between Pooled Search Head members) (remote cli to splunk instance)

TCP/9997- Default recieving port on indexers (Forwarder to Indexers)

TCP/8000 - Default port SearchHead (web browser to search head)

0 Karma

bmacias84
Champion

In an All-in-One deployment your Splunk Server is the Deployment Server, Indexer, Search Head, and Licensing Server. Each one of those Roles/features are available on Full installs of Splunk and can be enable or disabled. Deployment server is disabled by default. In an all in one deployment TCP/9997 from forwarder to indexer/search and TCP/8000 from webclients to search head is all you should need to start. Hope this helps and that I answered your question.

0 Karma

shawnedwards
New Member

I meant to answer, I don't know if I will enable the remote CLI at this point since this a POC. But, it is good to know about the traffic if we do.

0 Karma

shawnedwards
New Member

Thank you. I have the initial install onto a single server. Are the terms of deployment server indexers and searchhead synonymous for each/the server that I have Splunk installed on?

Thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...