Security
Highlighted

What firewall rule is required for indexer acknowledgement?

Communicator

Hi everyone,

Currently we are trying to introduce indexer acknowledgement to protect against loss of in-flight data.

We have a strict networking environment that only allow open port when totally necessary.

Just wondering how the indexer acknowledge signal being sent to Universal Forwarders? Is there any additional port need to be opened between Universal Forwarder and Indexer? (Or between Universal Forwarder and Heavy Forwarders? )

I have a look at the below article:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Forwarding/Protectagainstlossofin-flightdata

It says "Sends an acknowledgment to the forwarder.". But I cannot see any details at how the acknowledgement is sent?

Does it send to Universal Forwarder via a management port? e.g. 8089? If we disable the management port of UFs, does it mean we cannot use this function any more?

Cheers,
S

0 Karma
Highlighted

Re: What firewall rule is required for indexer acknowledgement?

Legend

Hi @season88481,
the only needed ports are:

  • 9997 (by default or another one) between Universal Forwarders and Indexers;
  • 9997 (by default or another one) between Universal Forwarders and Heavy Forwarders (when present);
  • 9997 (by default or another one) between Heavy Forwarders (when present) and Indexers;
  • 8089 (by default or another one) between All Forwarders (Heavy or Universal) and Deployment Server;
  • 514 (by default or another one) between Appliances (syslogs) and Heavy Forwarders.

If you have an Indexers' Cluster or a Search Heads' Cluster you have to open other ports between Splunk Servers.

Ciao.
Giuseppe

0 Karma
Highlighted

Re: What firewall rule is required for indexer acknowledgement?

Communicator

Thanks Giuseppe,

So to allow HFs or IDX to send acknowledge to UFs, do we need to open the management port 8089 of all UFs?

0 Karma
Highlighted

Re: What firewall rule is required for indexer acknowledgement?

Legend

Hi @season88481,
beware: UFs send data to Indexers or HFs.
Indexers and HFs don't send nothing to UFs, they only receive.

To send configurations (Technical Add-ons) to UFs (opening 8089 port), you can use an HF or an Indexer only if you have less than 50 target servers, for more it's mandatory to use a dedicated Deployment Server, and I hint to start from the beginning with a DS also if you have less than 50 target server so you'll have less load on the Indexer.

Ciao.
Giuseppe

0 Karma