Hello our splunk universal forwarder only on our nessus instance is generating findings on port 8089. Our splunk doesn't use the universal forwarder's SSL (we implemented our own wrapper). So why is it trying to create a connection on 8089 (even though our firewall is blocking it).
I'm required to scan my Splunk Enterprise environment for compliance reasons. When I'm scanning my search heads and indexers ,I keep getting multiple SSL errors for the management port 8089. I've searched and haven't found a way figure out a method to upload a third party cert to fix this or if this is something that I'll just have to make not isn't fixable. I've included some of the vulnerability issues I've found. Not sure if opening a ticket with support would get me the information I need.
SSL Certificate with Wrong Hostname
SSL Certificate Cannot Be Trusted
SSL Self-Signed Certificate
If you don't need TCP/8089 open on your forwarders and you're blocking it anyway, you can just disable it. Here's a TA you can deploy to your forwarders to do so: https://splunkbase.splunk.com/app/3246/
So it seems this app is for 6.X, We are running Splunk 7.3. Would this app work for that? In particular, do all we need to do is :
Yes, it will work for Splunk 7 and Splunk 8. The configuration has not changed.
8089 is the splunkd port, I strongly suggest to fix your SSL setup on SH/IDX/HF instead of disabling encryption, especially if you care about security. You can disable it on UF if not needed.
google for splunk ssl best practices to get an overview what can be done.
As a dirty hack you can (temporarely of course) configure firewall (network or local) to block this port for any IPs except your SH/IDX so the scan will not detect it.
Yes this would be on the uf and it is blocked on our firewalls on all instances. However the uf the scanner sits on (since it's localhost) is picking up port 8089 as running as an ssl encrypted traffic.
Do you have a link in which I can configure just that port with a custom cert?
as @masonmorales mentioned, you can disable this port if not needed instead