Solved: Universal Forwarder listening on port 8089

trross33 · ‎06-14-2011

I am running across a number vulnerability assessment findings regarding sslv2 being accepted on my SPLUNK Universal forwarder clients. I am using the Universal Forwarder to send data from my windows and linux machines to my indexer. I don't need it to listen on any port, that I know of.

Is it necessary for a universal forwarder to listen on any ports if it is only in use as a client to gather data and forward it to the indexer? If not, can this be disabled with a deployment app. Or at least have sslv2 disabled with an app sent to all the clients (I made the server.conf change on the deployment server). Thanks, as always.

msettipane · ‎06-14-2011

http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl#Disable_....

server.conf

disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.

View solution in original post

ericjaystevens · ‎01-29-2019

Add the following to your etc/system/local/server.conf

[httpServer]
disableDefaultPort = true

,Add the following to your etc/system/local/server.conf

[httpServer]
disableDefaultPort = true

kapanig · ‎01-07-2015

How do you manage the apps if you disable the deployment server port? 8089 with a properly created and issued certificate should void any vulnerabilities you have...

mattlucas719 · ‎07-11-2017

The port 8089 is listening on the UF and is used only for REST/CLI communication handling INBOUND requests to the UF instance.
Apps that get deployed to a UF (or actually all splunk instances) are done via a PULL method ie: splunk is configured to reach out to the DS and pull down apps that it's assigned, the DS does not PUSH to the instance.
So an opened port is not needed for app deployment as long as the UF can reach the DS:8089 it'll get the apps.

PS: if you disable port 8089 on the DS itself yes, you kill app deployment.

teekayx · ‎08-22-2017

Very Succinct, Thanks.

araitz · ‎06-15-2011

In addition to disabling SSLv2, server.conf allows you to specify valid cipherSuite.

trross33 · ‎06-15-2011

Thank you. If anyone follows up on this thread. The disableDefaultPort = [true|false] setting is documented here: http://www.splunk.com/base/Documentation/latest/admin/Serverconf

msettipane · ‎06-14-2011

http://www.splunk.com/base/Documentation/latest/admin/Secureaccesstoyoursplunkserverwithssl#Disable_....

server.conf

disableDefaultPort = [true|false]
* If true, turns off listening on the splunkd management port (8089 by default)
* Default value is 'false'.

trross33 · ‎06-15-2011

Thanks. I appreciate it.

araitz · ‎06-15-2011

Yes, a server.conf configuration can be pushed with deployment server.

trross33 · ‎06-15-2011

Can a server.conf configuration be pushed out with the splunk deployment server?

Universal Forwarder listening on port 8089

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation