Security
Highlighted

How to limit which servers can connect to Splunk forwarders?

Engager

Hello,

Our splunkforwarder Windows service listens on port 8089 from all IP addresses by default. Can I use Splunk conf files to allow connections only from Splunk servers?

Thanks.

0 Karma
Highlighted

Re: How to limit which servers can connect to Splunk forwarders?

Contributor

Well, if this are just forwardes sending data to an indexer, you can diable 8089 at all, otherwise there is an accept attribute. Both are in Server.conf:

see http://docs.splunk.com/Documentation/Splunk/6.2.5/admin/Serverconf

##########################################################################################
# Splunkd HTTP server configuration
##########################################################################################

[httpServer]
    * Set stand-alone HTTP settings for Splunk under this stanza name.
    * Follow this stanza name with any number of the following attribute/value pairs.  
    * If you do not specify an entry for each attribute, Splunk uses the default value.

...
disableDefaultPort = true|false
        * If true, turns off listening on the splunkd management port (8089 by default)
        * This setting is not recommended:
          * This is the general communication path to splunkd.  If it is disabled, there is
            no way to communicate with a running splunk.
          * This means many command line splunk invocations cannot function,
            splunkweb cannot function, the REST interface cannot function, etc.
          * If you choose to disable the port anyway, understand that you are selecting
            reduced Splunk functionality.
        * Default value is 'false'.

    acceptFrom = <network_acl> ...
        * Lists a set of networks or addresses to accept data from.  These rules are separated by commas or spaces
        * Each rule can be in the following forms:
        *   1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
        *   2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
        *   3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com")
        *   4. A single '*' which matches anything
        * Entries can also be prefixed with '!' to cause the rule to reject the
          connection.  Rules are applied in order, and the first one to match is
          used.  For example, "!10.1/16, *" will allow connections from everywhere
          except the 10.1.*.* network.
        * Defaults to "*" (accept from anywhere)

View solution in original post

Highlighted

Re: How to limit which servers can connect to Splunk forwarders?

Engager

Thanks! Is there any automated way to change server.conf file on all forwarders?

0 Karma