Getting Data In

Can someone please explain to me why Splunk Universal Forwarder uses port 8089?

Explorer

Can someone please explain to me why the Splunk Universal Forwarder uses port 8089 and what problems would arise if I disabled it?

1 Solution

SplunkTrust
SplunkTrust

It's a management port. It allows remote administration of the forwarder, once the default password is changed. It shouldn't hurt anything to disable it.

View solution in original post

Motivator

Port 8089 is the default Splunk management port on all Splunk instances including the Universal Forwarder. If you never change the default password on a Universal forwarder, authentication when acessing port 8089 will be blocked.

A use case for changing the password and leaving the port up would be to allow you run remote debug commands on the forwarder such as the one below to understand what files are being monitored. Often Splunk admins do not have direct access to forwarders. It is also possible to run remote configuration commands through the rest API URL.

# Display status on the tailing processor where localhost is replaced with the hostname or IP of the forwarder
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Port 8089 is not needed on a forwarder for sending event data out to indexers or for communicating with a deployment server. In the case of deployment server, the forwarder initiates contact with the deployment server as a client. Only the deployment server needs to have the 8089 listening port up.

SplunkTrust
SplunkTrust

It's a management port. It allows remote administration of the forwarder, once the default password is changed. It shouldn't hurt anything to disable it.

View solution in original post

Splunk Employee
Splunk Employee

The management port is not limited to remote management. it's how the forwarder is managed locally as well when it is running by the splunk command line tool. I would suggest considering firewalling it unless you truly need the peace of mind of the ports being disabled entirely.

0 Karma

Explorer

I disabled port 8089 in server.conf, deleted the folders received from the deployment server, restarted the service, made sure that port 8089 was not listening (by issuing ), the port was indeed NOT listening, and the server still received it's configurations from the deployment server.

SplunkTrust
SplunkTrust

I think the forwarder contacts the deployment server - but I can't be sure about in Splunk 6 - There were changes but I haven't caught up yet.

Explorer

Oh, thank you so much. That explains so much.

One other question is, does the deployment server use the API at all for deployment?

0 Karma

SplunkTrust
SplunkTrust

Explorer

I've set a new password, and when I browse to http://localhost:8089, all I see is the output of xml files.

0 Karma

SplunkTrust
SplunkTrust

Once you change the default password - you can hit it in a web browser using the REST api. https://your_forwarder:8089/. You can stop/start, check inputs to make sure it's configured properly.

Explorer

What can be remotely administered using the port and how? I'm at a loss. Splunk is all new to me, and my boss wants me to get it all locked down because we got hit by a pentest big time because of Splunk.

0 Karma