Hi team!
What ports do I need to open and in what direction, I do not know if I leave any.
Is there any communications table?
Thank you a lot.
Splunk does not dictate which ports event forwarding uses, however there is a 'convention'.
Splunk management port defaults to 8089, but this also is configurable.
As a basic start (and using defaults) the following should allow your Universal Forwarders to communicate with a deployment server and forward events to indexers/intermediate tiers.
UF -> Splunk TCP:9997 (unencrypted event forwarding)
UF -> Splunk TCP:9998 (TLS encrypted event forwarding)
UF -> Deployment Server TCP:8089 (TLS)
There is a great post with diagrams here which does an awesome job of illustrating all the communications ports
https://answers.splunk.com/answers/58888/what-are-the-ports-that-i-need-to-open.html