Security

Setup questions/Firewall Question

wendyctlam
Explorer

Hi all,

2 servers:

A = splunk server on a windows 2008 r2 server
B = server with splunk forwarder

Questions:

1) I am trying to have B talking to A but unsuccessful. I am not sure what I need to setup for B in order for it to talk to A.

2) How do I setup A so that I can access the server anywhere via splumkweb? Currently I can only access it via Remote Desktop Connection

3) Why type of firewall rules do I need to open up A to? (i.e. 8089 and 8000 for tcp, http, and https?)

Thanks in advance for your help.

Wendy

0 Karma
1 Solution

bmacias84
Champion

Indexer/search head you will need to configure receiving. From the Splunk Web UI navigate to Manager>>Forwarding and receiving >> Configure receiving >> New. Type 9997 in the Listen on this port box. Now your Indexer is ready to receive data. If you are have already installed your forwarder run the following command:

%splunk%/bin/splunk add forward-server :9997

If you have do not have any port conflicts on port 80 run the following on your Indexer/Search Head:

%splunk%/bin/splunk set web-port 80.

This assuming you don’t have any windows security policies or local firewall rules configured.

If you want to access anywhere from within you network you will need to make sure the port used by the web server is allowed through the firewalls to your network segment. Also set up a friendly name in DNS pointing to your Splunk instance.

Default ports used:
9997 for forwarders to the Splunk indexer. (forwarding and receiving data)

8000 for clients to the Splunk Web (webserver)

8089 – Splunk Management port (inter Splunk communication)

Hope this helps.

Windows Splunk Install

View solution in original post

bmacias84
Champion

Your search head/Indexer is the only server needs port 80 (or whatever port you decied to use for splunkweb) which will be http and https. I dont know your network topology, but you intermediate firewall need to allow the 80 from your subnet to the server.

UDP/TCP port 9997 and 8089 should be opened to all splunk instances. If you still having problems use telnet and have your network team watch the firewalls for the traffic. They should be able to see the denies or successes.

As for you question regarding customizing the splunk UI for a user is a loaded question and depend on scope.

0 Karma

bmacias84
Champion

Indexer/search head you will need to configure receiving. From the Splunk Web UI navigate to Manager>>Forwarding and receiving >> Configure receiving >> New. Type 9997 in the Listen on this port box. Now your Indexer is ready to receive data. If you are have already installed your forwarder run the following command:

%splunk%/bin/splunk add forward-server :9997

If you have do not have any port conflicts on port 80 run the following on your Indexer/Search Head:

%splunk%/bin/splunk set web-port 80.

This assuming you don’t have any windows security policies or local firewall rules configured.

If you want to access anywhere from within you network you will need to make sure the port used by the web server is allowed through the firewalls to your network segment. Also set up a friendly name in DNS pointing to your Splunk instance.

Default ports used:
9997 for forwarders to the Splunk indexer. (forwarding and receiving data)

8000 for clients to the Splunk Web (webserver)

8089 – Splunk Management port (inter Splunk communication)

Hope this helps.

Windows Splunk Install

bmacias84
Champion

If you only want to customize a view for a specific user for an existing app you will need to create an application.js and application.css files within the ./splunk/etc/apps//static/ folder. Your application.js will need some logic to detect your currently logged on user and applies the view customizations from your .css.

http://dev.splunk.com/view/SP-CAAADQ4

0 Karma

s2upin
Explorer

Thanks you so much :'( . it take me many time

0 Karma

wendyctlam
Explorer

Thank you for that information. Once I set the web-port to 80, would I be able to access the splunk web interface anywhere? The server should have port 80 open up on the network.
I tried it to access it and no luck.

I've given this to our firewall guys to open up:
TCP/UDP for port 9997
http and https for port 8000 and 8089
is that correct?

I have a question about customizing splunk view for specific user, do you have any information on this rather than the ones from splunk.com? Its a bit confusing. Thanks so much!!

Wendy

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...