Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

8089 Already Bound on new Universal Forwarders and a Legacy Deployment Server. Can I use IPtables?

DazzedNConfused
New Member
‎06-04-2015 07:48 AM

Simply put, I have a group of about 700 Linux Boxes that I use Deployment Server with for over a year. Works great. I recently was trying to add another group of 8 new servers by installing the Universal Forwarder and wanted to manage with my legacy Deployment Server. I know I can change 8089 to anything I want on both sides, but can the Deployment Server comm over two separate ports 8089 and, lets say, 8099? I know you can change 8089 in the web.conf, but can you configure one ServerClass to comm over 8089 and another to comm over 8099?

Already tried to "strong arm" the group that owns the 8 servers. Told them that our requirement is to have 8089 free, and that they need to make it happen first. Bosses talked to Bosses and I got chewed out. No worries, I've been chewed out before. I also know I can change my legacy DS to comm over 8099 and config all my other 700 servers to accommodate these 8, but that is less than ideal. I also don't want a completely separate DS for these 8 servers.

Can I use IPTables at my legacy DS to map anything over 8099 to 8089? Will this hose the existing 700 Boxes listening over 8089? Also, If this is a viable solution accepted by, you, the community of SMEs, please understand I am not a Linux Admin by any stretch, but I am sure I can hack the settings. However, if someone can help me with the commands, I'd be grateful. Here is what Google is telling me:

--iptables -A INPUT -i eth0 -p tcp --dport 8099 -j ACCEPT
--iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
--iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8099 -j REDIRECT --to-port 8080

Should work. Thanks Dazzed

0 Karma
Reply

acharlieh
Influencer
‎06-04-2015 03:53 PM

Now I don't personally use deployment server, but I think the connection arrow is actually the other direction. This doc talks about this mechanism but I'm pretty certain that the process is that the Deployment Client (forwarder) connects to the Deployment Server periodically to register and check for changes. (As opposed to the Deployment Server creating connections to the forwarders).

As a result the port of the forwarder listens on doesn't matter too much (unless you're configuring this port with apps you're pushing out, or if you have a need to remotely invoke things on the forwarders API's yourself), but those are a different story than the normal operation of the Deployment Server.

0 Karma
Reply

DazzedNConfused
New Member
‎06-05-2015 06:52 AM

Appreciate the response.

At the Application Layer, sure. I do understand that the forwarder connects to the DS to look for changes, but lower in the stack, they communicate over established ports, any established port. My question is:

A: Because the default port 8089 is already bound on my 8 new servers, can the DS establish communications with the forwarder over 2 different ports? 8089 and a new ServerClass talking over 8099
B: If not, can I use IPTables to port forward on the DS?

0 Karma
Reply

acharlieh
Influencer
‎06-05-2015 08:22 AM

But that's the crux of the thing: The DS is not establishing communications. The forwarder (Client) is responsible for establishing the connection to the known port on the DS. The port that the forwarder listens on for its API does not matter, and more than likely, the port that the forwarder will use to initiate that connection should be random (just like how your web browser uses random ports to make connections to web servers on port 80 or 443 when you use HTTP/HTTPS on default ports)

Just like a Web Site, the DS listens on a well defined port, and the forwarders connect to that well defined port.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...