topic Re: Port Documentation in Security

Port Documentation

dcsteve24 — Fri, 29 Oct 2021 21:25:03 GMT

We have a standalone install which has to follow specific guidance and documentation. Without getting much into things, I need to document each port open and if certain ones don't already have a vulnerability assessment on file I need to generate a local report on what the port is for and how its utilized in the system(s).

My clients have splunk installed but don't tap into a lot of its power currently. Therefore I expect a lot of the extra ports can be turned off (at least for now) and save me a lot of paperwork.

This brings me to port 8065 and 8191.

8065, a local listening port that is tied to the splunk appserver. Problem is I can't find what Splunk is using this for exactly outside "app server".

If we don't utilize Splunk apps is this required? If we did what does this port provide and why would it be required?
When are calls made to it?
How would I turn it off in version 8 if I don't need it?

8191 is used for app kv store.

If apps are not utilized, can this be turned off?
If so how?
If apps are not utilized this seems like it wouldn't be required.

Re: Port Documentation

isoutamo — Fri, 29 Oct 2021 22:30:56 GMT

splunk has published this too in docs, but I cannot found it now 😞

https://www.aplura.com/splunk-best-practices/ This doc contains also picture and explanations of those.

r. Ismo

Re: Port Documentation

jmartin_pro — Fri, 05 Apr 2024 17:56:40 GMT

Hi! I know I'm late but I've always wondered this as well... From the Components and their relationship with the network section of the Inherit a Splunk Enterprise Deployment documentation, this is loopback communication, meaning you won't need to open any ports. Splunk is talking to the local KV Store database (mongod).

If I run an lsof for open ports, I see the following all occurring over the loopback interface (8065 shows a similar result, only showing Python as the listening service):