Installation

Unable to access Splunk Web Portal

sidtalup27
Explorer

Hello,

I have a new installation of Splunk 9.X. The instance is hosted on Ubuntu OS, on Azure Cloud. There is no Public IP associated with the instance. The instance can only be accessed via the associated Private IP Address (peering is established between Azure and my internal company network)

I tried to telnet the Instance on port 8000, and it is accepting connections. In parallel, when I launch TCPDUMP and refresh the browser, I can see packets on TCPDUMP.

Inspite, I am unable to access the instance via console. I get CONNECTION RESET on the browser.

Please advise.

--
Thanks,
Siddarth

Labels (1)
0 Karma

Sunil2
Observer

@sidtalup27  I have the exact issue, there is nothing wrong with the port configuration on the vm and everything looks fine with NSG at Azure, but still facing issues with splunk web.

 

Were you able to solve the issue you had?

0 Karma

sidtalup27
Explorer

@PickleRick , below is the output of netstat.


sadmin@splunk-01:~$ sudo netstat -lpt | grep splunkd
tcp    0    0    splunk:8000 0.0.0.0:*    LISTEN    58145/splunkd
tcp    0     0   0.0.0.0:8089 0.0.0.0:*     LISTEN   58145/splunkd


sadmin@splunk-01:~$ sudo ss -lptn | grep splunkd
LISTEN    0    128     10.X.X.X:8000    0.0.0.0:*     users:(("splunkd",pid=58145,fd=186))
LISTEN    0    128      0.0.0.0:8089      0.0.0.0:*     users:(("splunkd",pid=58145,fd=4))

 

Can you please advise on ''tls enabled in web server's configuration"

 

--
Thanks,
Siddarth

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. So splunkd is listening on ports 8000 (where webui should be) and 8089 (that port is for internal splunk uses). So theoretically you should be able to connect to that port using either plain http or https.

If you can't it means that there is something else blocking the connection. Maybe it's the host firewall, maybe you have some firewall in the middle of your network path, maybe you have some transparent proxy - we can't know that - it's your environment 😉

Try connecting to http://<your_ip>:8000 and https://<your_ip>:8000 and see if any of those work.

Typically "connection reset by peer" happens if you have TLS enabled bu try to connect using plain HTTP.

0 Karma

sidtalup27
Explorer

@PickleRick , I tried both. over port 80 and 443, either way, I was unsuccessful.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. I mean that by default Splunk does indeed listen on port 8000 for web ui connections (you can verify it on server side by using

netstat -lpt | grep splunkd

or

ss -lptn | grep splunkd

Your comment that you can access port 8000 with telnet suggests that it is so indeed.

So you should be connecting to your_ip:8000. The question is whether you have tls enabled in web server's configuration and should use https://your_ip:8000 or not and you should use http://your_ip:8000

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You're trying to connect over unencrypted http to a https-enabled port or vice-versa?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...