Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What ports are used as source ports for Splunk Universal forwarder agent?

mlevsh
Builder
‎08-13-2018 12:51 PM

Let’s say we have Splunk Universal Forwarder agents installed on windows servers.
Is it known what ports are being used by windows servers to send data FROM (not sent TO) to splunk deployment server?

In the following example source port = 61616 is used. Can it be something like 8180?
TCP windows_server_source_ip:61616 splunk_deployment_server:8089 ESTABLISHED 3232

Reply

mbagali_splunk
Splunk Employee
Splunk Employee
‎08-14-2018 12:00 AM

On Universal forwarders , TCP source ports are assigned randomly . Nn the receiver(for example Indexer) the port is reserved (like 9997). If you capture a TCP dump between UF and Indexer you can determine that UF communicates with indexer on random ports but indexer acknowledges back only with the reserved port defined.

Reply

mlevsh
Builder
‎08-14-2018 09:29 AM

@mbagali, thank you for your reply!

0 Karma
Reply

DalJeanis
Legend
‎08-13-2018 03:23 PM

We verified for you in the Slack channel, and longtime heavy hitter Clint Sharp (coccyx) confirmed that, regardless of WIndows or Unix, TCP source ports are ephemeral and assigned randomly, and always above 1024 and generally above 32 k (32768).

https://en.wikipedia.org/wiki/Ephemeral_port

If you are trying to filter your incoming data by source port, you are probably building an unnecessary and unhelpful technical limitation into your system that will come back to haunt you, and it will come bearing hand grenades.

If your security area is trying to firewall your data by source port, then they need a refresher course. That won't inconvenience hackers anywhere near as much as it inconveniences your network guys.

Reply

mlevsh
Builder
‎08-14-2018 09:37 AM

@DalJeanis & @mbagali .

Our Application support team is troubleshooting the issue with a specific Application, that runs on the server, where we have Splunk Universal forwarder (SUF) installed.
Let's say that Application is configured to use tcp port 8180.

If tcp source ports are assigned randomly, then 8180 could have been randomly assigned as source port for Splunk Universal Forwarder and it would take down Application production service that was configured to use that port, per Application Support team.

Do you think it is possible?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...