Security

How did forwarder use management port?

aojie654
Path Finder

Hi, splunkers:

I assume that there are lots forwarder in a environment but the forward port 9997 and management port 8089 are already used on some forwarders by the other applications. I can modified the management port on forwarders, but I think I don't need to change the forward port on forwarders either.

What I am concerned are:
1. What's the default forward port on splunk forwarder?
2. What's the use of management port on forwarder?

0 Karma
1 Solution

nplamondon
SplunkTrust
SplunkTrust

I'll assume here that you're referring to the universal forwarder (UF) installed on your endpoint systems, rather than heavy forwarders (HF), which really shouldn't be running anything but Splunk.

You've answered half of your question already: 9997 is the default port for forwarding traffic. This is the destination port on your indexers (or an intermediate forwarder), so it doesn't need to be open on your UFs.

8089 is the management port. Your Splunk servers use this internally to communicate. Your forwarders (UF and possibly HF) will reach out to your deployment server on this port to report status and ask for apps. Again, this is a destination port on your deployment server, and does not need to be open on your UFs.

While these ports are configurable (use caution; there be dragons), it sounds to me like you don't need to change anything. Splunk on the hosts running UFs aren't listening for anything from the rest of your Splunk environment, and so don't need any incoming ports configured.

When in doubt regarding ports, I refer to @rob_jordan's excellent diagram in response to https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html

View solution in original post

aojie654
Path Finder

Hi, nplamondon:

I means that:
Which port is forwarder using when it send data to indexer?
Is there any impact after I changed the management port of forwarder when the 8089 is used on it?

0 Karma

nplamondon
SplunkTrust
SplunkTrust

Maybe I don't understand your questions....

Indexers receive on 9997 by default.
All Splunk management is over 8089 by default. That can be changed, but you have to pay attention when doing so, as you can easily misconfigure and break things.

0 Karma

nplamondon
SplunkTrust
SplunkTrust

I'll assume here that you're referring to the universal forwarder (UF) installed on your endpoint systems, rather than heavy forwarders (HF), which really shouldn't be running anything but Splunk.

You've answered half of your question already: 9997 is the default port for forwarding traffic. This is the destination port on your indexers (or an intermediate forwarder), so it doesn't need to be open on your UFs.

8089 is the management port. Your Splunk servers use this internally to communicate. Your forwarders (UF and possibly HF) will reach out to your deployment server on this port to report status and ask for apps. Again, this is a destination port on your deployment server, and does not need to be open on your UFs.

While these ports are configurable (use caution; there be dragons), it sounds to me like you don't need to change anything. Splunk on the hosts running UFs aren't listening for anything from the rest of your Splunk environment, and so don't need any incoming ports configured.

When in doubt regarding ports, I refer to @rob_jordan's excellent diagram in response to https://answers.splunk.com/answers/118859/diagram-of-splunk-common-network-ports.html

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...