Getting Data In
Highlighted

What ports are used as source ports for Splunk Universal forwarder agent?

Builder

Let’s say we have Splunk Universal Forwarder agents installed on windows servers.
Is it known what ports are being used by windows servers to send data FROM (not sent TO) to splunk deployment server?

In the following example source port = 61616 is used. Can it be something like 8180?
TCP windowsserversourceip:61616 splunkdeployment_server:8089 ESTABLISHED 3232

0 Karma
Highlighted

Re: What ports are used as source ports for Splunk Universal forwarder agent?

SplunkTrust
SplunkTrust

We verified for you in the Slack channel, and longtime heavy hitter Clint Sharp (coccyx) confirmed that, regardless of WIndows or Unix, TCP source ports are ephemeral and assigned randomly, and always above 1024 and generally above 32 k (32768).

https://en.wikipedia.org/wiki/Ephemeral_port

If you are trying to filter your incoming data by source port, you are probably building an unnecessary and unhelpful technical limitation into your system that will come back to haunt you, and it will come bearing hand grenades.

If your security area is trying to firewall your data by source port, then they need a refresher course. That won't inconvenience hackers anywhere near as much as it inconveniences your network guys.

Highlighted

Re: What ports are used as source ports for Splunk Universal forwarder agent?

Builder

@DalJeanis & @mbagali .

Our Application support team is troubleshooting the issue with a specific Application, that runs on the server, where we have Splunk Universal forwarder (SUF) installed.
Let's say that Application is configured to use tcp port 8180.

If tcp source ports are assigned randomly, then 8180 could have been randomly assigned as source port for Splunk Universal Forwarder and it would take down Application production service that was configured to use that port, per Application Support team.

Do you think it is possible?

0 Karma
Highlighted

Re: What ports are used as source ports for Splunk Universal forwarder agent?

Path Finder

On Universal forwarders , TCP source ports are assigned randomly . Nn the receiver(for example Indexer) the port is reserved (like 9997). If you capture a TCP dump between UF and Indexer you can determine that UF communicates with indexer on random ports but indexer acknowledges back only with the reserved port defined.

Highlighted

Re: What ports are used as source ports for Splunk Universal forwarder agent?

Builder

@mbagali, thank you for your reply!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.