Splunk® Universal Forwarder

Forwarder Manual

About management mode for the universal forwarder

The management mode feature for the universal forwarder is available for versions 9.1.0 and higher to improve security. You can control how CLI commands and local REST API calls communicate with the splunkd process through the management mode feature. You can configure how the universal forwarder communicates, either through Transmission Control Protocol (TCP) or Unix Domain Sockets (UDS). The default management mode is auto, which uses UDS if it is available on your operating system.

UDS-supported operating systems

UDS is available on the following operating systems:

  • Linux
  • macOS
  • Windows Server 2019 and higher
  • Windows 10 build 17063 and higher

For operating systems that don't support UDS, TCP is used instead.

Types of management modes

The following table lists the types of management modes:

Mode Function
auto CLI commands and local REST API calls communicate with the splunkd process through UDS if UDS is supported. If UDS is not supported, TCP is used instead.
tcp CLI commands and local REST API calls communicate with the splunkd process through the management port bound to localhost.
none CLI commands and local REST API calls are restricted from communicating through the management port.

Check and change your management mode

Upgrading the universal forwarder from version 9.0.0 and lower to the latest version does not change your existing settings. If this is the case, you must change your management mode to UDS when upgrading to 9.1.0 and higher if it's available on your operating system.

To check all applicable configurations in your management mode, run the following command:

./splunk btool server list --debug | egrep "disableDefaultPort|mgmtMode"

To change your management mode, follow these steps:

  1. Navigate to the server.conf file in the $SPLUNK_HOME/etc/system/local/ folder.
  2. Set the mgmtMode parameter to your desired mode.
  3. Restart the Splunk platform by running the ./splunk restart command.
Last modified on 10 April, 2023
Advanced configurations for the universal forwarder   Manage a Linux least-privileged user

This documentation applies to the following versions of Splunk® Universal Forwarder: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters