I am having no success in disabling the web service on my universal forwarders?
Issue: Security team were able to browse to my universal forwarders using https://[universalforwarder]:8089. I have been instructed to kill the web service on the UFs.
Have tried: creating a new web.conf placed in etc/system/local with the following settings applied
startwebserver = 0
httpport = 0
With these settings in place and removal of the old web.conf file sitting in etc/default i am still able to web onto my UF's from a remote machine?
Am i missing a setting somewhere?
Port 8089 is NOT splunkweb, it is Splunk's management port. It does, however, speak HTTP so it can appear to be an HTTP Server.
I don't think you can (safely) disable it entirely. You might use
SPLUNK_BINDIP to restrict this port to only listening on 127.0.0.1.
To elaborate, let's go through Splunk's architecture. There are two daemons - services if you will - splunkd and splunkweb. Each of these has a distinct purpose.
The splunkweb service provides the user interface components, which (by default) run HTTP on port 8000. This is where the search interface lives, and is how most users interact with Splunk.
The splunkd service is the indexing / forwarding / searching component. It has no real UI, and is interacted with by using an HTTPS port on (usually) port 8089 where REST APIs are called. Using Splunkd alone, you can't view a dashboard or create a chart. If you know the REST API - or are using an SDK - you can use the REST API (or SDK) to programmatically run searches and so forth - but the UI is up to you at that point.
Out of the box, UFs have the splunkweb web service disabled entirely. In fact, it is impossible to run splunkweb on a UF because UFs do not include the Splunk python runtime. UFs cannot run splunkweb.
UFs do, however, run Splunkd - they need to run Splunkd to do things like tail log files and forward this data to Splunk indexers.
As far as
web.conf goes, if we look closely at the
startwebserver option in the docs, it is specifically whether or not to start Splunkweb.
startwebserver = [0 | 1] * Set whether or not to start SplunkWeb. * 0 disables SplunkWeb, 1 enables it. * Defaults to 1.
So control of Splunkd's REST port at 8089 is not governed by
startwebserver. There is however the
disableDefaultPort option in server.conf. This should work, however there have been issues documented with it in the past.
Disabling the REST port entirely could cause some breakage, because there are CLI commands that use the REST port to talk to Splunkd. You would not be able to, for example, do a
splunk list monitor or
splunk add monitor because these commands are implemented using the REST port. This is why I suggested using
SPLUNK_BINDIP to limit access to the REST port to the local host.
Also, it might be worth being sure to change the default password and use IPTABLES to prevent access to it (if you're running on a brand of *nix). I had similar concerns a while back
Yes, i dont want to kill the management port completely, just the ability to browse to a universal forwarder over this port. I did use the httpdisable stanza in server.conf but then i lost functionality in cli mode i.e. i was not able to list forward-servers etc... for my troubleshooting scenarios.