Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 9.0 will no longer be supported as of June 14, 2024. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Secure Splunk Enterprise on your network

Under certain conditions, Splunk Enterprise network ports, services, and APIs can become susceptible to attacks over the network. You can prevent those potential attacks by shielding your Splunk Enterprise configuration from the Internet.

Make the following considerations to reduce the network attack surface of your Splunk Enterprise deployment:

  • Where possible, use a firewall to restrict access to Splunk Web, management, and data ingestion ports. Keep Splunk Enterprise components inside that network firewall.
  • Where possible, have any remote Splunk Enterprise users access the deployment through a virtual private network.

You also can protect Splunk Enterprise from physical and network attacks in the following ways:

  • Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
  • Unless necessary, do not allow access to forwarders on any network port. Additionally, you can enable enhanced forwarder management network port protection. See Configure universal forwarder management security.
  • Where applicable, enable TLS certificate host name validation between individual machines in a Splunk Enterprise deployment. See Configure TLS certificate host name validation for secured connections between Splunk software components.
  • Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access.
  • Limit network port accessibility to only necessary connections. See the following table for the list:
    Client instance Server instance Default ports
    Your browser Splunk Web TCP 8000
    Search heads Search peers (indexers) TCP 8089
    Forwarders Receivers (indexers) TCP 8089
    The Splunk CLI Any Splunk platform instance TCP 8089
    Search head cluster members The App Key Value Store service
    on other SHC members
    TCP 8191
    Search heads that run Splunk
    Assist from the Monitoring Console
    *.scs.splunk.com TCP 443
Last modified on 28 February, 2024
Harden the Splunk Enterprise installation directory on Windows   Disable unnecessary Splunk Enterprise components

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters