On one of my universal forwarders I've got an issue where it seems to be ignoring the disabledefaultport setting. I have the following in my server.conf config file:
[httpServer]
disableDefaultPort = true
Despite that setting disabling the port, it is still listening on port 8089. I need to disable this due to vulnerability scans, but for whatever reason it just isn't working.
To be more specific, create /opt/splunkforwarder/etc/system/local/web.conf and add:
[settings]
mgmtHostPort = 127.0.0.1:6060
Then, in /opt/splunkforwarder/etc/system/local/server.conf add:
[httpServer]
disableDefaultPort = true
Then restart the forwarder and it should not be listening on any port.
To be more specific, create /opt/splunkforwarder/etc/system/local/web.conf and add:
[settings]
mgmtHostPort = 127.0.0.1:6060
Then, in /opt/splunkforwarder/etc/system/local/server.conf add:
[httpServer]
disableDefaultPort = true
Then restart the forwarder and it should not be listening on any port.
workes only if you set the mgmtHostPort to any other then default one, thanks for the hint!
Can someone at splunk actually confirm this works and if so update the actual documentation for server.conf? Which is it? Web.conf or Server.conf? Is this additional mgmtHostPort necessary or no? Splunk documentation is very frustrating because when these answers are posted rarely does the actual documentation article get updated.
its in server.conf but under the httpServer stanza
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf
sever.conf
[httpServer]
disableDefaultPort = true
Confirm with a netstat that your splunkd port is no longer listening ie. netstat -an | grep tcp | grep LISTEN
I ran into this during vulnerability scans also.
This worked on one server, but not the other. I ended up just re-installing the forwarder and now it's working as expected.
We've found that if you add a web.conf with an alternate listening port along with the disableDefaultPort directive, it starts up without listening on any port.