Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Secure Splunk Enterprise on your network

Under certain conditions, Splunk Enterprise network ports, services, and APIs can become susceptible to attacks. You can prevent those potential attacks by shielding your Splunk Enterprise configuration from the Internet.

Where possible, use a host-based firewall to restrict access to Splunk Web, management, and data ingestion ports. Keep Splunk Enterprise within that firewall. Have your remote users access Splunk Enterprise on a Virtual Private Network.

You also can protect Splunk Enterprise from attacks in the following ways:

  • Restrict CLI security by restricting this port to local calls only, from behind a host firewall.
  • Unless necessary, do not allow access to forwarders on any port. Additionally, you can enable enhanced forwarder management port protection. See Configure universal forwarder management security.
  • Where applicable, enable TLS certificate host name validation. See Enable TLS certificate host name validation.
  • Install Splunk Enterprise on an isolated network segment that only trustworthy machines can access.
  • Limit port accessibility to only necessary connections. See the following table for the list:
    Client instance Server instance Default ports
    Your browser Splunk Web TCP 8000
    Search heads Search peers (indexers) TCP 8089
    Forwarders Receivers (indexers) TCP 8089
    The Splunk CLI Any Splunk platform instance TCP 8089
    Search head cluster members The App Key Value Store service
    on other SHC members
    TCP 8191
    Search heads that run Splunk
    Assist from the Monitoring Console
    *.scs.splunk.com TCP 443
Last modified on 02 April, 2022
Harden your Windows installation
Disable unnecessary Splunk Enterprise components

This documentation applies to the following versions of Splunk® Enterprise: 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters