Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to limit which servers can connect to Splunk forwarders?

Konstantinov
Engager
‎08-12-2015 05:21 AM

Hello,

Our splunkforwarder Windows service listens on port 8089 from all IP addresses by default. Can I use Splunk conf files to allow connections only from Splunk servers?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FritzWittwer_ol
Contributor
‎08-12-2015 05:46 AM

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

View solution in original post

Reply
Solved! Jump to solution
Solution

FritzWittwer_ol
Contributor
‎08-12-2015 05:46 AM

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)
Reply
Solved! Jump to solution

Konstantinov
Engager
‎08-12-2015 11:05 PM

Thanks! Is there any automated way to change server.conf file on all forwarders?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...