Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

firewall access for splunk servers

shawnedwards
New Member
‎06-06-2013 08:52 AM

Hi All -

Could you confirm that I have the connectivity ports correct or if I’m missing any? I just want to use the default port configurations at this point. I have installed splunk on a single server and will be installing the universal forwarder to 3 other servers to forward the data back to the main server.

from Desktop Web Clients to Main Splunk Server using http on port 8000

from Client Servers to Main Splunk Server using tcp/udp on port 9997 for universal forwarder
from Client Servers to Main Splunk Server using tcp on port 8089 for Management Communication ***Does this one need to go back to those client servers with UF?

Thanks!

Tags (1)
0 Karma
Reply

bmacias84
Champion
‎06-06-2013 10:21 AM

That all depends. Are you planning to enable remote cli on your forwarders, if so you will need to allow 8089 from your Splunk Server. You will also have to change the default password on the forwarders to enable this.

TCP/8089 - deployment server, distributed search, remote cli, pooled search heads (Search head to indexers) (Deployment client to Deployment Server) (between distributed search members) (between Pooled Search Head members) (remote cli to splunk instance)

TCP/9997- Default recieving port on indexers (Forwarder to Indexers)

TCP/8000 - Default port SearchHead (web browser to search head)

0 Karma
Reply

bmacias84
Champion
‎06-07-2013 03:09 PM

In an All-in-One deployment your Splunk Server is the Deployment Server, Indexer, Search Head, and Licensing Server. Each one of those Roles/features are available on Full installs of Splunk and can be enable or disabled. Deployment server is disabled by default. In an all in one deployment TCP/9997 from forwarder to indexer/search and TCP/8000 from webclients to search head is all you should need to start. Hope this helps and that I answered your question.

0 Karma
Reply

shawnedwards
New Member
‎06-07-2013 02:38 PM

I meant to answer, I don't know if I will enable the remote CLI at this point since this a POC. But, it is good to know about the traffic if we do.

0 Karma
Reply

shawnedwards
New Member
‎06-07-2013 02:33 PM

Thank you. I have the initial install onto a single server. Are the terms of deployment server indexers and searchhead synonymous for each/the server that I have Splunk installed on?

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...