Installation

UF on linux server port requirement

Thats_my_usrnme
Explorer

Hello Team,

 

I would like to install UF on Linux server but I got confused. Which one should I open "9997 for İndexer cluster and 8089 for deployment server" OR "9997 and 8089 for deployment server"? Can any body help about port requirement? 

 

diagram.png

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The UF opens port 8089 on  the DS and port 9997 in the indexers.  Port 8089 is for management; port 9997 is for data/logs.

Data flows from UF directly to indexers, not via DS.

Do NOT put a load balancer between a UF and the indexers.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Universal forwarders (UF) usually do not need to listen on any port since they typically read local files.  They can opt to read TCP data on any port or Splunk protocol on port 9997.

A UF must be able to connect to indexers on port 9997.  If you have several UFs, it's a good idea to use a Deployment Server (DS) to manage them.  UFs talk to the DS on port 8089.

---
If this reply helps you, Karma would be appreciated.

Thats_my_usrnme
Explorer

Hi Rich, I'm asking for sure. 9997 port for sending data and we have indexer cluster structure. What should be the port opening direction? Somebody says "you should open 9997,8089 for DS" and I asking WHY?. Because we are doing like this but its not a answer. Do the logs go to DS first and then get written to the indexer?

10.10.10.1 UF

10.10.10.2 DS

10.10.10.3 indexer cluster LB

1.Senario:

10.10.10.1 UF --9997,8089--> 10.10.10.2 DS

2.Senario:

10.10.10.1 UF --9997--> 10.10.10.3 indexer cluster

LB 10.10.10.1 UF --8089--> 10.10.10.2 DS

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The UF opens port 8089 on  the DS and port 9997 in the indexers.  Port 8089 is for management; port 9997 is for data/logs.

Data flows from UF directly to indexers, not via DS.

Do NOT put a load balancer between a UF and the indexers.

---
If this reply helps you, Karma would be appreciated.

Thats_my_usrnme
Explorer

Thanks for quick response Mr.Rich.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...