Agree with you on that's what the doc says but in testing (version: splunkforwarder-9.1.0.1-77f73c9edb85-Linux-x86_64.tgz), mgmtHostPort in web.conf alone doesn't work for me.  I have to add mgmtMode = tcp for it to work.  Also, the default web.conf file already has mgmtHostPort = localhost:8089. mgmtHostPort has been working up to and including version 9.0.5 but not on 9.1.0.1.  On our instance, we only need to enable that port for localhost only. ... View more

Thanks @isoutamo  and @fatsug for your leads.  What I understand from Splunk documentation (link from @fatsug above) is that splunkd should listen to 127.0.0.1:8089 by default: Improvements to universal forwarder security, including the limiting of access to the UF management port to only the local machine But as mentioned above, lsof command showed splunkd doesn't listen on to localhost,127.0.0.1:8089.  Even though when you list running processes, it shows: splunkd -p 8089.  Also, when starting it indicated in the console: Checking mgmt port [8089]: open After more reading, it looks like mgmtMode in 9.1.0.1 doesn't work as previous version including 9.0.  To enable it, I have to force it in tcp mode.  In our case, we need to enable UF management port for REST API connection.  To enable it we added this block to $SPLUNK_HOME/etc/system/local/server.conf:   [httpServer] mgmtMode = tcp   Depends on your setting, you might want to add "disableDefaultPort = false" to make sure it's not configured somewhere else. What're your thoughts on this approach? ... View more