Deployment Architecture

Diagram of Splunk Common Network Ports

bandit
Motivator

What are Splunk Common Network Ports that I may need to open to allow traffic through a firewall?

Labels (1)
1 Solution

bandit
Motivator

This is a diagram of Splunk components and network ports that are commonly used in a Splunk Enterprise environment. Firewall rules often need to be updated to allow communication on ports 8000, 8089, 9997, 514 and others.

Source files available here: http://downloads.jordan2000.com/splunk/

Updated version
alt text

Original version
alt text

View solution in original post

monchien
Engager

What are cyber threats to Splunk network ports. Can someone tell

0 Karma

bandit
Motivator

This is a diagram of Splunk components and network ports that are commonly used in a Splunk Enterprise environment. Firewall rules often need to be updated to allow communication on ports 8000, 8089, 9997, 514 and others.

Source files available here: http://downloads.jordan2000.com/splunk/

Updated version
alt text

Original version
alt text

byronsanderson
Engager

This is a fantastic diagram, thanks for posting!

I am super new to Splunk so please forgive the likely silly question but is all of the TCP 8089 communication within the Splunk components encrypted by default?

cameronjust
Path Finder

8089 is encrypted by default using unique self signed SSL certs created by a Splunk installation when it runs for the first time.

See enableSplunkdSSL and serverCert in server.conf

https://docs.splunk.com/Documentation/Splunk/7.0.2/Admin/Serverconf

Fun fact: You can regenerate these at any time with this command

/opt/splunk/bin/splunk createssl server-cert -n server -d /opt/splunk/etc/auth/ -l 2048 -c SplunkServerDefault

I've needed to do this recently for Splunk upgrades from 6.x to 7.x where an old expired cert caused comms failures between some Splunk components. Ideally the Splunk upgrade process should regenerate these certs if they are using defaults. I'm hopeful they do that in the future.

tmcneely
Engager

@rob_jordan: Is the source of this image available anywhere? There are a couple discrepancies that should be fixes (as mentioned in the comments), but its the best diagram I have seen.

bandit
Motivator

@tmcneely I've updated the diagram. Source files are also here http://downloads.jordan2000.com/splunk

phoenixdigital
Builder

I note that this and the Splunk web GUI suggests port 8080 for indexer port replication.
http://imgur.com/6im8rti

However the CLI and conf documentation suggests to use port 9887.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configurepeerswithserverconf
http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/ConfigurepeerswithCLI

Granted both will work however which is the Splunk sanctioned port 8080 or 9887.

0 Karma

Steve_G_
Splunk Employee
Splunk Employee

There's really no sanctioned port, as such. 9887 is just an example of a port that you can use for the purpose.

As the documentation states, "You can specify any available, unused port as the replication port. Do not re-use the management or receiving ports."

See http://docs.splunk.com/Documentation/Splunk/6.2.0/Indexer/Configurepeerswithserverconf

jbrodsky_splunk
Splunk Employee
Splunk Employee

Great diagram. Is there an updated one to include Search Head Clustering? New ports required are 8191 for the KV store, and a replication port chosen at implementation time (I have seen 8989 used) for search head cluster members to replicate data.

0 Karma

bandit
Motivator

@jbrodsky, I've updated to include search head clustering and kvstore.

Mark_Orcutt
New Member

Great job!!! I almost only see this information in tables.

Did you create this with MS Visio?

0 Karma

jrodman
Splunk Employee
Splunk Employee

This is great.

For what it's worth, the cluster master / indexers communication is bidirectional (maybe double-headed arrow?), and port 9997 is primarily a tradition though I think the GUI provides that default. There's a support generated diagram somewhere that labells SSL-by-default differently from others, but that's synonymous with the default-port 8089 traffic.

Technically external apps can use REST API to any nodes in the system, but that's going to be only really useful for custom administration goals or custom troubleshooting goals typically. The search head is definitely the far most common target.

mxg142
Explorer

Why isn't a complete common network port diagram provided by Splunk in the Official Documentation instead of telling the responder all the tweaks he should be making to maintain his personal version?  Seems like standard info that would benefit the entire community by being officially documented by Splunk.  If there is an official one already out there, please point me to it, because I haven't found one.

0 Karma

bandit
Motivator

Thanks. The other direction of communication for the Cluster Master would be due to the Cluster Master polling members of the cluster, correct? (That would be in addition to the members themselves checking in with the Cluster Master)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...