Security

How did forwarder use management port?

aojie654
Path Finder

Hi, splunkers:

I assume that there are lots forwarder in a environment but the forward port 9997 and management port 8089 are already used on some forwarders by the other applications. I can modified the management port on forwarders, but I think I don't need to change the forward port on forwarders either.

What I am concerned are:
1. What's the default forward port on splunk forwarder?
2. What's the use of management port on forwarder?

0 Karma
1 Solution

nplamondon
Communicator

I'll assume here that you're referring to the universal forwarder (UF) installed on your endpoint systems, rather than heavy forwarders (HF), which really shouldn't be running anything but Splunk.

You've answered half of your question already: 9997 is the default port for forwarding traffic. This is the destination port on your indexers (or an intermediate forwarder), so it doesn't need to be open on your UFs.

8089 is the management port. Your Splunk servers use this internally to communicate. Your forwarders (UF and possibly HF) will reach out to your deployment server on this port to report status and ask for apps. Again, this is a destination port on your deployment server, and does not need to be open on your UFs.

While these ports are configurable (use caution; there be dragons), it sounds to me like you don't need to change anything. Splunk on the hosts running UFs aren't listening for anything from the rest of your Splunk environment, and so don't need any incoming ports configured.

When in doubt regarding ports, I refer to @rob_jordan's excellent diagram in response to https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html

View solution in original post

aojie654
Path Finder

Hi, nplamondon:

I means that:
Which port is forwarder using when it send data to indexer?
Is there any impact after I changed the management port of forwarder when the 8089 is used on it?

0 Karma

nplamondon
Communicator

Maybe I don't understand your questions....

Indexers receive on 9997 by default.
All Splunk management is over 8089 by default. That can be changed, but you have to pay attention when doing so, as you can easily misconfigure and break things.

0 Karma

nplamondon
Communicator

I'll assume here that you're referring to the universal forwarder (UF) installed on your endpoint systems, rather than heavy forwarders (HF), which really shouldn't be running anything but Splunk.

You've answered half of your question already: 9997 is the default port for forwarding traffic. This is the destination port on your indexers (or an intermediate forwarder), so it doesn't need to be open on your UFs.

8089 is the management port. Your Splunk servers use this internally to communicate. Your forwarders (UF and possibly HF) will reach out to your deployment server on this port to report status and ask for apps. Again, this is a destination port on your deployment server, and does not need to be open on your UFs.

While these ports are configurable (use caution; there be dragons), it sounds to me like you don't need to change anything. Splunk on the hosts running UFs aren't listening for anything from the rest of your Splunk environment, and so don't need any incoming ports configured.

When in doubt regarding ports, I refer to @rob_jordan's excellent diagram in response to https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html

Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...