Greetings.
I have an indexer configured to receive logs from forwarders on a TCP port, say 8100. I have configured the universal forwarder to send the logs to the indexer on the above port and i can see the events appearing in indexer. This is all in 4.3.2. I want to know if the connectivity from the forwarder to indexer details. TCP is the transport layer protocol. whats the service protocol? is that SSH or Telnet or http?
similary in a distributed environment, whats (service protocol) the connectivity from Deployment server to universal forwarders, indexers and search heads?
thanks
laks
Forwarding is done over TCP in Splunk's own format. Optionally you can encrypt it using SSL.
Communication with the deployment server is done using HTTPS over port 8089.
yes, we do receive syslogs over udp. however, all our splunk nodes are within green side and hence i guess intra splunk nodes communication are http over tcp and some may be https over tcp.
All that the network layer should know about is that connections are over TCP. Under TCP, they may be encrypted, use HTTP, both, or neither. Note that some inputs may use UDP as well.
this is mainly to request connectivity with network teams as they need to know what ports and protocols are used, so they can punch in the required access.
thanks. i would then take it as http/TCP for all communication across splunk nodes in the distriuted environment then, am i correct?
Thanks Ayn. Let me elaborate a bit. I have deployed 2 search heads (SH) that are connected to 2 indexers. One of the SH is also activing as my deployment server (DS) and license master, so the other instances are made as slave to the to DS. All these servers are in a green side, meaning they are behind our firewall. I have forwarders installed in a number of servers, some of them in greenside and some of them in red side/DMZ. I need to tell network team the port to connect to on the SH (DS) and indexers so the forwarders can send the logs and also get the push from DS.
No. Forwarded log traffic doesn't use any kind of http at all. Intra-splunk traffic (port 8089) will use http, but by default over SSL so it's https rather than http. From a network perspective no "recognizable" protocol like the ones you specified will ever be seen, unless you have some kind of solution that breaks SSL connections to inspect their contents (and in that case you're running into a world of other problems). I'm curious to know why your network team would require you to specify the protocol.
I would ask why you are interested in knowing this. If you're thinking of using a network load-balancer or something, that's a bad idea, and there are better ways to deal with it.
Forwarding is done over TCP in Splunk's own format. Optionally you can encrypt it using SSL.
Communication with the deployment server is done using HTTPS over port 8089.