About management mode for the universal forwarder
The management mode feature for the universal forwarder is available for versions 9.1.0 and higher to improve security. You can control how CLI commands and local REST API calls communicate with the splunkd
process through the management mode feature. You can configure how the universal forwarder communicates, either through Transmission Control Protocol (TCP) or Unix Domain Sockets (UDS). The default management mode is auto, which uses UDS if it is available on your operating system.
UDS-supported operating systems
UDS is available on the following operating systems:
- Linux
- macOS
- Windows Server 2019 and higher
- Windows 10 build 17063 and higher
For operating systems that don't support UDS, TCP is used instead.
Types of management modes
The following table lists the types of management modes:
Mode | Function |
---|---|
auto | CLI commands and local REST API calls communicate with the splunkd process through UDS if UDS is supported. If UDS is not supported, TCP is used instead.
|
tcp | CLI commands and local REST API calls communicate with the splunkd process through the management port bound to localhost.
|
none | CLI commands and local REST API calls are restricted from communicating through the management port. |
Check and change your management mode
Upgrading the universal forwarder from version 9.0.0 and lower to the latest version does not change your existing settings. If this is the case, you must change your management mode to UDS when upgrading to 9.1.0 and higher if it's available on your operating system.
To check all applicable configurations in your management mode, run the following command:
./splunk btool server list --debug | egrep "disableDefaultPort|mgmtMode"
To change your management mode, follow these steps:
- Navigate to the server.conf file in the $SPLUNK_HOME/etc/system/local/ folder.
- Set the
mgmtMode
parameter to your desired mode. - Restart the Splunk platform by running the
./splunk restart
command.
Advanced configurations for the universal forwarder | Manage a Linux least-privileged user |
This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0
Feedback submitted, thanks!