topic Re: Splunk DB connect in Security

Splunk DB connect

ffrig — Wed, 09 Oct 2013 12:16:56 GMT

I have a firewall between my indexer and MySLQ DB. What port(s) does the indexer use to make connections and queries? It is just 8000, 8089 or others? I'm connecting through to the standard 3306 port for MySQL. Thanks!

Re: Splunk DB connect

sowings — Wed, 09 Oct 2013 12:22:43 GMT

The indexer would initiate a connection from its side to the MySQL database, on whatever port the database is running. In your case, that's 3306.

Have you tried this and encountered an issue?

Re: Splunk DB connect

gfuente — Wed, 09 Oct 2013 12:22:43 GMT

Hello

You only need the 3306, as long as you don't install a forwarder in the db server.

regards

Re: Splunk DB connect

kristian_kolb — Wed, 09 Oct 2013 12:26:20 GMT

You'll need to allow the connection from the Splunk instance to the DB, which in your case seems to be port 3306.

Port 8000 is the default port where splunkweb is running. It has nothing to do with DBConnect. But of course you'll have to allow inbound traffic to the Splunk server on that port for users connecting with their browsers.

Port 8089 is used by various splunk instances (forwarders, indexers, search heads etc)to talk to each other (deployment traffic, distributing searches etc).

Port 9997 is commonly used for sending log traffic from forwarders to indexers.

Re: Splunk DB connect

ffrig — Wed, 09 Oct 2013 12:53:36 GMT

Thanks all, but I was after what the source port would be from the indexer to the DB server. Wasn't sure if this was a random high port or from Splunk Web?

Re: Splunk DB connect

ffrig — Wed, 09 Oct 2013 13:24:03 GMT

Did a trace and found the answer myself - random high port:
netstat -an | grep 172.27.67.174
tcp 0 1 ::ffff:172.27.91.38:41717 ::ffff:172.27.67.174:3306 SYN_SENT

Re: Splunk DB connect

sowings — Wed, 09 Oct 2013 13:27:21 GMT

Oh, so you needed the source port.