- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- firewall access for splunk servers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
firewall access for splunk servers
Hi All -
Could you confirm that I have the connectivity ports correct or if I’m missing any? I just want to use the default port configurations at this point. I have installed splunk on a single server and will be installing the universal forwarder to 3 other servers to forward the data back to the main server.
from Desktop Web Clients to Main Splunk Server using http on port 8000
from Client Servers to Main Splunk Server using tcp/udp on port 9997 for universal forwarder
from Client Servers to Main Splunk Server using tcp on port 8089 for Management Communication ***Does this one need to go back to those client servers with UF?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That all depends. Are you planning to enable remote cli on your forwarders, if so you will need to allow 8089 from your Splunk Server. You will also have to change the default password on the forwarders to enable this.
TCP/8089 - deployment server, distributed search, remote cli, pooled search heads (Search head to indexers) (Deployment client to Deployment Server) (between distributed search members) (between Pooled Search Head members) (remote cli to splunk instance)
TCP/9997- Default recieving port on indexers (Forwarder to Indexers)
TCP/8000 - Default port SearchHead (web browser to search head)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In an All-in-One deployment your Splunk Server is the Deployment Server, Indexer, Search Head, and Licensing Server. Each one of those Roles/features are available on Full installs of Splunk and can be enable or disabled. Deployment server is disabled by default. In an all in one deployment TCP/9997 from forwarder to indexer/search and TCP/8000 from webclients to search head is all you should need to start. Hope this helps and that I answered your question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to answer, I don't know if I will enable the remote CLI at this point since this a POC. But, it is good to know about the traffic if we do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I have the initial install onto a single server. Are the terms of deployment server indexers and searchhead synonymous for each/the server that I have Splunk installed on?
Thanks.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
