Hello,
I'm following the steps here:
https://docs.splunk.com/Documentation/Splunk/9.0.1/Installation/InstallonLinux#Next_steps
After installing and starting the service, I'm of course unable to access port 8000 to access the web interface because the system firewall is blocking connections. Besides port 8000, what other ports should I open through the firewall and why isn't this documented on the above page?
If anyone has a link to splunk documentation about the ports used, please let me know. I've seen lots of splunk community answers showing different ports, but others say they are user-defined. Like port 9997 for the forwarder to send data to the splunk server... I haven't configured that yet (it wasn't in the above documentation).
I see that my splunk server is currently listening on ports 8000, 8089, and 8191, according to the output of "sudo ss -tunlp"
tcp LISTEN 0 128 0.0.0.0:8089 0.0.0.0:* users:(("splunkd",pid=1806,fd=4))
tcp LISTEN 0 128 0.0.0.0:8191 0.0.0.0:* users:(("mongod",pid=2285,fd=9))
tcp LISTEN 0 128 0.0.0.0:8000 0.0.0.0:* users:(("splunkd",pid=1806,fd=100))
I tried opening a support case, but apparently I can't do that either. I'm really not sure where to ask this question, or who to ask in order to get the installation documentation updated.
If I should post this somewhere else, please let me know.
Thank you,
Jonathan
Thank you! I've added just port 8000 for now, since it seems like everything else will be added later and configured separately. It doesn't seem like anything else is immediately needed. But I ran into the next undocumented problem right away: my browser, Chrome, enforces https (I can't even go to http://myhost:8000) and apparently splunk doesn't use https? I'm getting "ERR_SSL_PROTOCOL_ERROR". But I can't find any documentation about how to set up SSL (ideally a self-signed certificate to start, and then import a signed certificate at a later date).
Thanks for the tip about leaving feedback about the documentation.
For other users: I didn't notice before, but there is a "Was this topic useful?" link at the bottom of the documentation page where you can submit an email address and free-form feedback. I'm doing this now.
Using SSL for the web interface is documented, but can be tricky to find. Just set enableSplunkWebSSL = true in $SPLUNK_HOME/etc/system/local/web.conf. See https://docs.splunk.com/Documentation/Splunk/9.0.1/Security/Turnonbasicencryptionusingweb.conf for details.
If you don't have a file called $SPLUNK_HOME/etc/system/local/web.conf (which you may not on a new installation), then create it and copy the lines from the docs into the file.
Restart Splunk for the changes to take effect.
This is where Splunk documentation is found to be wanting. One reason may be to avoid confusion since there are many possible ports Splunk could use, but very few necessary to get started. And, as you've learned, they're all configurable so the documentation would only be a guideline.
See this answer https://community.splunk.com/t5/Getting-Data-In/What-are-the-ports-that-I-need-to-open/m-p/62934 for the basics.
Submit feedback on the documentation to let Splunk know you couldn't find the information you needed.
Here are some other ports I've collected over time.
8000 | GUI |
8080 | Indexer replication |
8088 | HEC |
8089 | Management |
8191 | App Key Value Store |
9200 | SHC replication |
9997 | Receive forwarded data |