Getting Data In

What can be done when port 8089 is taken on the forwarder?

ddrillic
Ultra Champion

We reach a situation where port 8089 is being used by another app on a set of forwarders. Can we use another port on the these forwarders besides 8089?

Not sure what the following means - Can I change the default management port 8089 on Splunk Universal Forwarder and still push updates f...

Tags (2)
0 Karma
1 Solution

maraman_splunk
Splunk Employee
Splunk Employee

You can change the port for sure,it wont affect the UF ability to contact the Deployment Server/
You should probably also shut it down on your UFs (you can do it remotely from the DS with a app) as there's low chance you need it open on a UF and that's reducing UF attack surface, which is always a good thing.

to disable the port :
in server.conf

   [httpServer]
    disableDefaultPort = true

to change the port
in web.conf

[settings]
mgmtHostPort = 127.0.0.1:8090

View solution in original post

ddrillic
Ultra Champion

Thank you all for this cheerful discussion!!!

One quick thing -

run: netstat -an | grep 8089
out: tcp        0      0 10.106.202.164:56428        10.106.218.126:8089         TIME_WAIT
out:

Assuming the forwarder doesn't have any management port open, which local port would it choose to use when communicating with the deployment server?

Ok, on the server which port 8089 was taken, I see -

$ netstat -an | grep 8089
tcp        0      0 0.0.0.0:8089                0.0.0.0:*                   LISTEN
tcp        0      0 <local server>:43097           <deployment server>:8089          ESTABLISHED

Which means that even though 8089 was taken on the forwarder machine, the forwarder was just fine. It seems that it picked a local random port and, I guess, it doesn't have a local management port.

0 Karma

maraman_splunk
Splunk Employee
Splunk Employee

You can change the port for sure,it wont affect the UF ability to contact the Deployment Server/
You should probably also shut it down on your UFs (you can do it remotely from the DS with a app) as there's low chance you need it open on a UF and that's reducing UF attack surface, which is always a good thing.

to disable the port :
in server.conf

   [httpServer]
    disableDefaultPort = true

to change the port
in web.conf

[settings]
mgmtHostPort = 127.0.0.1:8090

ddrillic
Ultra Champion

Amazing point - it's a vulnerability which doesn't make much sense.

0 Karma

somesoni2
Revered Legend

You can have these forwarders to run on different port than 8089. In fact, it's a best practice to use your own custom port number instead of default one.

0 Karma

woodcock
Esteemed Legend

Is it though? I am opinionless on it and have not been trained either way. I always stick to 8089 to KISS.

0 Karma

somesoni2
Revered Legend

In my experience, generally 8089 is available but there are some servers where it's not. We set the Fwd Mgmt port to some reserve port which is least likely to be utilized by anyone/anything else.

0 Karma

ddrillic
Ultra Champion

Very interesting.

0 Karma

rphillips_splun
Splunk Employee
Splunk Employee

@ddrillic port 8089 is the default management port splunkd listens on. If another application is using port 8089 on your forwarder you can change the forwarder to use another port

$SPLUNK_HOME/etc/system/local/web.conf

[settings]
mgmtHostPort = x.x.x.x:8090

If you are managing the forwarder with a deployment server you can push that conf change to the UF from an app on the deployment server. Changing the port on the UF in this manner won't impact UF-->DS communication since the UF initiates comm to the DS which is listening on port 8089 and pulls new configurations from the DS.

0 Karma

ddrillic
Ultra Champion

Perfect!!!

You are saying

-- Changing the port on the UF in this manner won't impact UF-->DS communication since the UF initiates comm to the DS which is listening on port 8089 and pulls new configurations from the DS.

So, which port will be used on the forwarder to connect to the DS port 8089?

0 Karma

jtacy
Builder

The forwarder will use a dynamic/ephemeral source port (https://en.wikipedia.org/wiki/Ephemeral_port) to connect to the DS.

ddrillic
Ultra Champion

Perfect !!!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...