I want to monitor zip files using universal forwarder and send it to the heavy forwarder for parsing so want to know which ports I need to open?
As per my understanding, I will require 9997 and 8089 ports to open from the universal forwarder.
Is there another port to open?
Does Splunk require to use VPN tunnel to transfer files or it will send files to heavy forwarder on port 9997?
In standard Splunk with default settings, the UF initiates all traffic so he does not need to open any ports. He sends data to HFs/indexers on 9997 (non-SSL) or 9998 (SSL). The search head talks to the Indexers on port 8089 and should also be sending his logs to the Indexer (9997/9998). That should do it for the basics. Here is a full picture:
Thanks @woodcock ..
so for non-ssl I need to open 9997 on universal forwarder. I do not understand your comment "...he does not need to open any ports" because to communicate/send data to HWF I need to open port 9997 from UF isn't it?
No, firewalls block incoming ports, not outgoing (because outgoing ports are assigned at random). Nothing reaches out to the UF so no ports need to be opened. All Splunk traffic originates from the UF, not of it terminates to it.
By default all the forward ports should be 9997.
UF will forward the data to HF with 9997. From HF it will parse and again send it to indexer with 9997.
8089 port is only for management port.
Configure your Heavy forwarder to listen 9997 port and configure your indexer with 9997. There are 2 layers of transforming data. Please ensure all firewall or NSG(for Azure) is opened.
Details of configuring receiving port:
To configure the indexer/heavy forwarder to receive data from other Splunk Enterprise instances:
Log into Splunk Enterprise on the indexer.
In the system bar, click Settings > Forwarding and Receiving. Splunk Enterprise loads the "Forwarding and Receiving" page.
Under "Receive Data" click Configure Receiving.
In the Listen on this port field, enter the port number that you want Splunk Enterprise to listen on for incoming data from other Splunk instances. The conventional port number is 9997.
Click Save. Splunk Enterprise saves the port number and enables receiving on the indexer.