Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit which servers can connect to Splunk forwarders?

Konstantinov
Engager
‎08-12-2015 05:21 AM

Hello,

Our splunkforwarder Windows service listens on port 8089 from all IP addresses by default. Can I use Splunk conf files to allow connections only from Splunk servers?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FritzWittwer_ol
Contributor
‎08-12-2015 05:46 AM

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

View solution in original post

Reply
Solved! Jump to solution
Solution

FritzWittwer_ol
Contributor
‎08-12-2015 05:46 AM

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)
Reply
Solved! Jump to solution

Konstantinov
Engager
‎08-12-2015 11:05 PM

Thanks! Is there any automated way to change server.conf file on all forwarders?

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...