Installation

Unable to access Splunk Web Portal

sidtalup27
Loves-to-Learn Lots

Hello,

I have a new installation of Splunk 9.X. The instance is hosted on Ubuntu OS, on Azure Cloud. There is no Public IP associated with the instance. The instance can only be accessed via the associated Private IP Address (peering is established between Azure and my internal company network)

I tried to telnet the Instance on port 8000, and it is accepting connections. In parallel, when I launch TCPDUMP and refresh the browser, I can see packets on TCPDUMP.

Inspite, I am unable to access the instance via console. I get CONNECTION RESET on the browser.

Please advise.

--
Thanks,
Siddarth

Labels (1)
0 Karma

sidtalup27
Loves-to-Learn Lots

@PickleRick , below is the output of netstat.


sadmin@splunk-01:~$ sudo netstat -lpt | grep splunkd
tcp    0    0    splunk:8000 0.0.0.0:*    LISTEN    58145/splunkd
tcp    0     0   0.0.0.0:8089 0.0.0.0:*     LISTEN   58145/splunkd


sadmin@splunk-01:~$ sudo ss -lptn | grep splunkd
LISTEN    0    128     10.X.X.X:8000    0.0.0.0:*     users:(("splunkd",pid=58145,fd=186))
LISTEN    0    128      0.0.0.0:8089      0.0.0.0:*     users:(("splunkd",pid=58145,fd=4))

 

Can you please advise on ''tls enabled in web server's configuration"

 

--
Thanks,
Siddarth

0 Karma

PickleRick
Ultra Champion

OK. So splunkd is listening on ports 8000 (where webui should be) and 8089 (that port is for internal splunk uses). So theoretically you should be able to connect to that port using either plain http or https.

If you can't it means that there is something else blocking the connection. Maybe it's the host firewall, maybe you have some firewall in the middle of your network path, maybe you have some transparent proxy - we can't know that - it's your environment 😉

Try connecting to http://<your_ip>:8000 and https://<your_ip>:8000 and see if any of those work.

Typically "connection reset by peer" happens if you have TLS enabled bu try to connect using plain HTTP.

0 Karma

sidtalup27
Loves-to-Learn Lots

@PickleRick , I tried both. over port 80 and 443, either way, I was unsuccessful.

0 Karma

PickleRick
Ultra Champion

No. I mean that by default Splunk does indeed listen on port 8000 for web ui connections (you can verify it on server side by using

netstat -lpt | grep splunkd

or

ss -lptn | grep splunkd

Your comment that you can access port 8000 with telnet suggests that it is so indeed.

So you should be connecting to your_ip:8000. The question is whether you have tls enabled in web server's configuration and should use https://your_ip:8000 or not and you should use http://your_ip:8000

 

0 Karma

PickleRick
Ultra Champion

You're trying to connect over unencrypted http to a https-enabled port or vice-versa?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...