Splunk Enterprise Security

How come I can't see the Splunk Web interface, though I don't see problems at the port level?

sebastiandelrea
Engager

I have a Search Head Splunk running and I can not see the web interface of this, however when reviewing the settings I can see that the service is running and I do not see problems at port 8000 level. This machine is a Centos 7.

[root@localhost bin]# ./splunk status
splunkd is running (PID: 3206).
splunk helpers are running (PIDs: 3207 3276 3374 3586 3593 3933 3938 3946 3952 3967 3969 3991 4006 4035 4038 4067 4087 4132 4216 4245 4289 19936 21863 29673 31326 37186 37220 38675 38761 39270 39273 39276 39284 40312).
[root@localhost bin]#

[root@localhost ~]# netstat -anpt |grep -e 8000
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      3206/splunkd
tcp        0      1 10.10.9.50:8000         192.168.150.28:47232    FIN_WAIT1   -
tcp        0      0 10.10.9.50:8000         10.10.12.232:65198      ESTABLISHED 3206/splunkd
tcp        0      0 10.10.9.50:8000         192.168.150.28:47946    ESTABLISHED 3206/splunkd
tcp        0      1 10.10.9.50:8000         192.168.150.28:47172    FIN_WAIT1   -
tcp        0      0 10.10.9.50:8000         192.168.150.28:48044    ESTABLISHED 3206/splunkd

[root@localhost ~]# firewall-cmd --list-all
FirewallD is not running
0 Karma

whrg
Motivator

Hello @sebastiandelreal,

Are you trying to reach the Splunk web interface from the same system where Splunk is running or from another system?

If you are trying to reach the web UI from another client, check that you can ping the Splunk server:

ping 10.10.9.50

In case you don't know, you can access the web UI via http://10.10.9.50:8000 or http://127.0.0.1:8000 (if Splunk is running on the same system as your web browser).

Also check if iptables is blocking incoming connections:

sudo iptables -L
0 Karma

sebastiandelrea
Engager

Hello, Thanks for your Answer

I'm trying to join Splunk from another system.

At the connectivity level, I have an answer when I ping from the system.

This is the result of iptables command:

[root@localhost /]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0 Karma

whrg
Motivator

What is the exact error message in your web browser? Are you getting a timeout?
Your iptables looks fine.
Here are some more ideas:
If you have HTTPS in Splunk enabled, use https://.. instead of http://..
Try it on a different web browser. Perhaps you have a web proxy configured.
If you are running Splunk as root user, you could change the port from 8000 to 80 and see if that helps.
Test the web connection on your Splunk server: curl http://127.0.0.1:8000. It if is working correctly then you should see something like "The resource has moved temporarily

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...