Getting Data In

Forwarder to indexer - is that http/TCP?

lakshman237
Path Finder

Greetings.

I have an indexer configured to receive logs from forwarders on a TCP port, say 8100. I have configured the universal forwarder to send the logs to the indexer on the above port and i can see the events appearing in indexer. This is all in 4.3.2. I want to know if the connectivity from the forwarder to indexer details. TCP is the transport layer protocol. whats the service protocol? is that SSH or Telnet or http?

similary in a distributed environment, whats (service protocol) the connectivity from Deployment server to universal forwarders, indexers and search heads?

thanks
laks

Tags (2)
0 Karma
1 Solution

Ayn
Legend

Forwarding is done over TCP in Splunk's own format. Optionally you can encrypt it using SSL.

Communication with the deployment server is done using HTTPS over port 8089.

View solution in original post

lakshman237
Path Finder

yes, we do receive syslogs over udp. however, all our splunk nodes are within green side and hence i guess intra splunk nodes communication are http over tcp and some may be https over tcp.

gkanapathy
Splunk Employee
Splunk Employee

All that the network layer should know about is that connections are over TCP. Under TCP, they may be encrypted, use HTTP, both, or neither. Note that some inputs may use UDP as well.

0 Karma

lakshman237
Path Finder

this is mainly to request connectivity with network teams as they need to know what ports and protocols are used, so they can punch in the required access.

lakshman237
Path Finder

thanks. i would then take it as http/TCP for all communication across splunk nodes in the distriuted environment then, am i correct?

0 Karma

lakshman237
Path Finder

Thanks Ayn. Let me elaborate a bit. I have deployed 2 search heads (SH) that are connected to 2 indexers. One of the SH is also activing as my deployment server (DS) and license master, so the other instances are made as slave to the to DS. All these servers are in a green side, meaning they are behind our firewall. I have forwarders installed in a number of servers, some of them in greenside and some of them in red side/DMZ. I need to tell network team the port to connect to on the SH (DS) and indexers so the forwarders can send the logs and also get the push from DS.

Ayn
Legend

No. Forwarded log traffic doesn't use any kind of http at all. Intra-splunk traffic (port 8089) will use http, but by default over SSL so it's https rather than http. From a network perspective no "recognizable" protocol like the ones you specified will ever be seen, unless you have some kind of solution that breaks SSL connections to inspect their contents (and in that case you're running into a world of other problems). I'm curious to know why your network team would require you to specify the protocol.

gkanapathy
Splunk Employee
Splunk Employee

I would ask why you are interested in knowing this. If you're thinking of using a network load-balancer or something, that's a bad idea, and there are better ways to deal with it.

Ayn
Legend

Forwarding is done over TCP in Splunk's own format. Optionally you can encrypt it using SSL.

Communication with the deployment server is done using HTTPS over port 8089.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!