- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to get Splunk ports to open from universal...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to monitor zip files using universal forwarder and send it to the heavy forwarder for parsing so want to know which ports I need to open?
As per my understanding, I will require 9997 and 8089 ports to open from the universal forwarder.
Is there another port to open?
Does Splunk require to use VPN tunnel to transfer files or it will send files to heavy forwarder on port 9997?
Please confirm.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
By default all the forward ports should be 9997.
UF will forward the data to HF with 9997. From HF it will parse and again send it to indexer with 9997.
8089 port is only for management port.
Configure your Heavy forwarder to listen 9997 port and configure your indexer with 9997. There are 2 layers of transforming data. Please ensure all firewall or NSG(for Azure) is opened.
Details of configuring receiving port:
To configure the indexer/heavy forwarder to receive data from other Splunk Enterprise instances:
Log into Splunk Enterprise on the indexer.
In the system bar, click Settings > Forwarding and Receiving. Splunk Enterprise loads the "Forwarding and Receiving" page.
Under "Receive Data" click Configure Receiving.
Click New.
In the Listen on this port field, enter the port number that you want Splunk Enterprise to listen on for incoming data from other Splunk instances. The conventional port number is 9997.
Click Save. Splunk Enterprise saves the port number and enables receiving on the indexer.
Reference link :https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/InstallaSplunkIndexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
By default all the forward ports should be 9997.
UF will forward the data to HF with 9997. From HF it will parse and again send it to indexer with 9997.
8089 port is only for management port.
Configure your Heavy forwarder to listen 9997 port and configure your indexer with 9997. There are 2 layers of transforming data. Please ensure all firewall or NSG(for Azure) is opened.
Details of configuring receiving port:
To configure the indexer/heavy forwarder to receive data from other Splunk Enterprise instances:
Log into Splunk Enterprise on the indexer.
In the system bar, click Settings > Forwarding and Receiving. Splunk Enterprise loads the "Forwarding and Receiving" page.
Under "Receive Data" click Configure Receiving.
Click New.
In the Listen on this port field, enter the port number that you want Splunk Enterprise to listen on for incoming data from other Splunk instances. The conventional port number is 9997.
Click Save. Splunk Enterprise saves the port number and enables receiving on the indexer.
Reference link :https://docs.splunk.com/Documentation/MSExchange/3.5.2/DeployMSX/InstallaSplunkIndexer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In standard Splunk with default settings, the UF initiates all traffic so he does not need to open any ports. He sends data to HFs/indexers on 9997 (non-SSL) or 9998 (SSL). The search head talks to the Indexers on port 8089 and should also be sending his logs to the Indexer (9997/9998). That should do it for the basics. Here is a full picture:
https://docs.splunk.com/Documentation/Splunk/latest/InheritedDeployment/Ports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @woodcock ..
so for non-ssl I need to open 9997 on universal forwarder. I do not understand your comment "...he does not need to open any ports" because to communicate/send data to HWF I need to open port 9997 from UF isn't it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, firewalls block incoming ports, not outgoing (because outgoing ports are assigned at random). Nothing reaches out to the UF so no ports need to be opened. All Splunk traffic originates from the UF, not of it terminates to it.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
