A = splunk server on a windows 2008 r2 server
B = server with splunk forwarder
1) I am trying to have B talking to A but unsuccessful. I am not sure what I need to setup for B in order for it to talk to A.
2) How do I setup A so that I can access the server anywhere via splumkweb? Currently I can only access it via Remote Desktop Connection
3) Why type of firewall rules do I need to open up A to? (i.e. 8089 and 8000 for tcp, http, and https?)
Thanks in advance for your help.
Indexer/search head you will need to configure receiving. From the Splunk Web UI navigate to Manager>>Forwarding and receiving >> Configure receiving >> New. Type 9997 in the Listen on this port box. Now your Indexer is ready to receive data. If you are have already installed your forwarder run the following command:
%splunk%/bin/splunk add forward-server
If you have do not have any port conflicts on port 80 run the following on your Indexer/Search Head:
%splunk%/bin/splunk set web-port 80.
This assuming you don’t have any windows security policies or local firewall rules configured.
If you want to access anywhere from within you network you will need to make sure the port used by the web server is allowed through the firewalls to your network segment. Also set up a friendly name in DNS pointing to your Splunk instance.
Default ports used:
9997 for forwarders to the Splunk indexer. (forwarding and receiving data)
8000 for clients to the Splunk Web (webserver)
8089 – Splunk Management port (inter Splunk communication)
Hope this helps.
Thank you for that information. Once I set the web-port to 80, would I be able to access the splunk web interface anywhere? The server should have port 80 open up on the network.
I tried it to access it and no luck.
I've given this to our firewall guys to open up:
TCP/UDP for port 9997
http and https for port 8000 and 8089
is that correct?
I have a question about customizing splunk view for specific user, do you have any information on this rather than the ones from splunk.com? Its a bit confusing. Thanks so much!!
If you only want to customize a view for a specific user for an existing app you will need to create an application.js and application.css files within the ./splunk/etc/apps/
Your search head/Indexer is the only server needs port 80 (or whatever port you decied to use for splunkweb) which will be http and https. I dont know your network topology, but you intermediate firewall need to allow the 80 from your subnet to the server.
UDP/TCP port 9997 and 8089 should be opened to all splunk instances. If you still having problems use telnet and have your network team watch the firewalls for the traffic. They should be able to see the denies or successes.
As for you question regarding customizing the splunk UI for a user is a loaded question and depend on scope.