Outbound connections required by splunk

Harold · ‎04-13-2021

Doing some hardening on my splunk and would like to block any outgoing connections not required.

Besides DNS as far as i logged on last couple of days splunk only requires outgoing on port 443 over /TCP/SSL on servers using certificates with names that fit "*splunk.com"?

I am talking about license and etc conections required by splunk, for this question assume a standalone enterprise splunk server with no integration with other servers or forwarders.

gcusello · ‎04-13-2021

Hi @Harold,

as @scelikok said, if you're speaking about hardening, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/WhatyoucansecurewithSplunk, in addition in the last .Conf there was an interesting webinar https://conf.splunk.com/files/2020/slides/TRU1537C.pdf about Splunk hardening.

Anyway, if you want the connections used by Splunk, you should see at https://docs.splunk.com/Documentation/Splunk/8.1.3/InheritedDeployment/Ports

Ciao.

Giuseppe

scelikok · ‎04-13-2021

Hi @Harold,

Assuming there is no integration, standalone Splunk does not need any outgoing connections. Since we are talking about hardening, *splunk.com connections are also not necessary. They are for Splunk/apps version checking, and sending some telemetry data to Splunk about you usage. It is safe to block all outgoing connections.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Outbound connections required by splunk

other

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms