topic Universal Forwarder listening on port 8089 in Getting Data In

Universal Forwarder listening on port 8089

trross33 — Tue, 14 Jun 2011 19:53:12 GMT

I am running across a number vulnerability assessment findings regarding sslv2 being accepted on my SPLUNK Universal forwarder clients. I am using the Universal Forwarder to send data from my windows and linux machines to my indexer. I don't need it to listen on any port, that I know of.

Is it necessary for a universal forwarder to listen on any ports if it is only in use as a client to gather data and forward it to the indexer? If not, can this be disabled with a deployment app. Or at least have sslv2 disabled with an app sent to all the clients (I made the server.conf change on the deployment server). Thanks, as always.

Re: Universal Forwarder listening on port 8089

msettipane — Wed, 15 Jun 2011 03:04:31 GMT

http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl#Disable_SSLv2.

server.conf

disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.

Re: Universal Forwarder listening on port 8089

trross33 — Wed, 15 Jun 2011 14:56:59 GMT

Thank you. If anyone follows up on this thread. The disableDefaultPort = [true|false] setting is documented here: http://www.splunk.com/base/Documentation/latest/admin/Serverconf

Re: Universal Forwarder listening on port 8089

trross33 — Wed, 15 Jun 2011 15:05:59 GMT

Can a server.conf configuration be pushed out with the splunk deployment server?

Re: Universal Forwarder listening on port 8089

araitz — Wed, 15 Jun 2011 15:10:02 GMT

Yes, a server.conf configuration can be pushed with deployment server.

Re: Universal Forwarder listening on port 8089

araitz — Wed, 15 Jun 2011 15:10:52 GMT

In addition to disabling SSLv2, server.conf allows you to specify valid cipherSuite.

Re: Universal Forwarder listening on port 8089

trross33 — Wed, 15 Jun 2011 20:40:19 GMT

Thanks. I appreciate it.

Re: Universal Forwarder listening on port 8089

kapanig — Wed, 07 Jan 2015 21:50:17 GMT

How do you manage the apps if you disable the deployment server port? 8089 with a properly created and issued certificate should void any vulnerabilities you have...

Re: Universal Forwarder listening on port 8089

mattlucas719 — Tue, 11 Jul 2017 14:28:07 GMT

The port 8089 is listening on the UF and is used only for REST/CLI communication handling INBOUND requests to the UF instance.
Apps that get deployed to a UF (or actually all splunk instances) are done via a PULL method ie: splunk is configured to reach out to the DS and pull down apps that it's assigned, the DS does not PUSH to the instance.
So an opened port is not needed for app deployment as long as the UF can reach the DS:8089 it'll get the apps.

PS: if you disable port 8089 on the DS itself yes, you kill app deployment.

Re: Universal Forwarder listening on port 8089

teekayx — Tue, 22 Aug 2017 15:28:21 GMT

Very Succinct, Thanks.

Re: Universal Forwarder listening on port 8089

ericjaystevens — Tue, 29 Jan 2019 14:58:57 GMT

Add the following to your etc/system/local/server.conf

[httpServer]
disableDefaultPort = true

,Add the following to your etc/system/local/server.conf

[httpServer]
disableDefaultPort = true