Solved: How did forwarder use management port?

aojie654 · ‎11-06-2019

Hi, splunkers:

I assume that there are lots forwarder in a environment but the forward port 9997 and management port 8089 are already used on some forwarders by the other applications. I can modified the management port on forwarders, but I think I don't need to change the forward port on forwarders either.

What I am concerned are:
1. What's the default forward port on splunk forwarder?
2. What's the use of management port on forwarder?

nplamondon · ‎11-06-2019

I'll assume here that you're referring to the universal forwarder (UF) installed on your endpoint systems, rather than heavy forwarders (HF), which really shouldn't be running anything but Splunk.

You've answered half of your question already: 9997 is the default port for forwarding traffic. This is the destination port on your indexers (or an intermediate forwarder), so it doesn't need to be open on your UFs.

8089 is the management port. Your Splunk servers use this internally to communicate. Your forwarders (UF and possibly HF) will reach out to your deployment server on this port to report status and ask for apps. Again, this is a destination port on your deployment server, and does not need to be open on your UFs.

While these ports are configurable (use caution; there be dragons), it sounds to me like you don't need to change anything. Splunk on the hosts running UFs aren't listening for anything from the rest of your Splunk environment, and so don't need any incoming ports configured.

When in doubt regarding ports, I refer to @rob_jordan's excellent diagram in response to https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html

View solution in original post

aojie654 · ‎11-06-2019

Hi, nplamondon:

I means that:
Which port is forwarder using when it send data to indexer?
Is there any impact after I changed the management port of forwarder when the 8089 is used on it?

nplamondon · ‎11-11-2019

Maybe I don't understand your questions....

Indexers receive on 9997 by default.
All Splunk management is over 8089 by default. That can be changed, but you have to pay attention when doing so, as you can easily misconfigure and break things.

nplamondon · ‎11-06-2019

I'll assume here that you're referring to the universal forwarder (UF) installed on your endpoint systems, rather than heavy forwarders (HF), which really shouldn't be running anything but Splunk.

You've answered half of your question already: 9997 is the default port for forwarding traffic. This is the destination port on your indexers (or an intermediate forwarder), so it doesn't need to be open on your UFs.

8089 is the management port. Your Splunk servers use this internally to communicate. Your forwarders (UF and possibly HF) will reach out to your deployment server on this port to report status and ask for apps. Again, this is a destination port on your deployment server, and does not need to be open on your UFs.

While these ports are configurable (use caution; there be dragons), it sounds to me like you don't need to change anything. Splunk on the hosts running UFs aren't listening for anything from the rest of your Splunk environment, and so don't need any incoming ports configured.

When in doubt regarding ports, I refer to @rob_jordan's excellent diagram in response to https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html

How did forwarder use management port?

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

Detect and Resolve Issues in a Kubernetes Environment