Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Secure Splunk Enterprise on your network

Under certain conditions, Splunk Enterprise ports can become susceptible to attacks. Prevent access by shielding your Splunk Enterprise configuration from the Internet.

If possible, use a host-based firewall to restrict access to Splunkweb, management, and data ports. Keep Splunk Enterprise within a host-based firewall. Have your remote users access Splunk Enterprise on a Virtual Private Network.

You also can protect Splunk Enterprise from attacks in the following ways:

  • Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
  • Unless necessary, do not allow access to forwarders on any port.
  • Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access.
  • Limit port accessibility to only necessary connections. The necessary connections are:
    • End users and administrators must access Splunkweb (TCP port 8000 by default).
    • Search heads must access search peers on the management port (TCP port 8089 by default).
    • Deployment clients must access the deployment server on the management port (TCP port 8089 by default).
    • Forwarders must access the index server data port (TCP port 9997 by default).
    • Remote CLI calls use the management port.
  • Restrict access to the KV store port on the search head. (The KV store port, by default, is 8191, and by default that port is open to the network.) On each search head cluster member, allow access to the KV store port only for the other members, so that the cluster can replicate KV store data.
Last modified on 02 April, 2022
PREVIOUS
Harden the Splunk Enterprise installation directory on Windows
  NEXT
Disable unnecessary Splunk Enterprise components

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters