Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to disable the universal forwarder default...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to disable the default management point on the universal forwarders (8089) with the deployment server and I'm having a hard time getting the deployment server to deploy correctly. I have created the app that should disable it and it successfully pushes, but when I do a netstat, it's still listening. Anyone have any advice or see anything I'm doing incorrectly? If I edit the local\server.conf on the test server, it successfully disables the management port.
Thanks!
On the deployment server
deployment-apps\disable_mgmt_app\etc\system\local\server.conf
[httpServer]
disableDefaultPort = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually solved this one myself, when adding the app you don't need to specify directories you just need to place it in deployment-apps/disable_mgmt/local/server.conf and it will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Snippet from Splunk docs about changing server.conf file:
https://docs.splunk.com/Documentation/Splunk/9.0.0/admin/Serverconf
disableDefaultPort = <boolean>
* If set to "true", turns off listening on the splunkd management port,
which is 8089 by default.
* On Universal Forwarders, when this value is "true" the value set
for mgmtHostPort in web.conf will be ignored. Similarly, when set to "false",
the value set for mgmtHostPort in web.conf will be used for binding management port.
* NOTE: On Universal Forwarders, to reduce the risk of exploitation Splunk recommends
the management port is disabled and local CLI is not used. If the management port is enabled,
a valid TLS certification should be installed and the port should be bound to localhost.
* NOTE: Changing this setting is not recommended on other Splunk instances.
* This is the general communication path to splunkd. If it is disabled,
there is no way to communicate with a running splunk instance.
* This means many command line splunk invocations cannot function,
Splunk Web cannot function, the REST interface cannot function, etc.
* If you choose to disable the port anyway, understand that you are
selecting reduced Splunk functionality.
* Default: false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually solved this one myself, when adding the app you don't need to specify directories you just need to place it in deployment-apps/disable_mgmt/local/server.conf and it will work.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
