Hello guys,
is it possible to restrict Splunk or the network flow from a license slave to license master?
Both licensing and Splunk API are using TCP:8089, we would like to only allow licensing network flows as the slave will be outside our organization.
Thanks.
So you want to allow someone to access your license but don't connect in any other way?
To make it airtight you would need something like an API gateway and only certain REST calls (regarding license) to 8089.
Things to take in consideration.
By default the LM allows any license slave that is able to connect to 8089 to use your license. May not be smart to open this for the world.
You can protect this by changing your pool to only allow predefined licenseslaves. These are identified by the machine GUID. You can either collect all the GUIDs beforehand or keep a small pool open for all slaves to connect. After one connect you can then use the GUI to add a new slave to your 'full' pool.
is this what you are trying to achieve? https://answers.splunk.com/answers/67/how-do-i-change-the-ports-that-splunk-listens-on.html
if i misunderstood, can you elaborate on the problem you are trying to solve?
No, just allow license traffic not management/API. Thanks.
Fairly certain you cannot do what you're referring to as it would involve changing the internal workings of how Splunk uses the management port to communicate between other Splunk components.
Since the slave is outside the organization, and based on your question in the title of your post, your best option would likely be encrypting that communication. You can secure the communication between the slaves and license master by configuring SSL in server.conf.
http://docs.splunk.com/Documentation/Splunk/6.6.0/Security/AboutsecuringyourSplunkconfigurationwithS...