Splunk Forwarder Port Binding

If your deploying the Splunk Forwarder to send event logs to your Splunk servers, you may or may not know that it doesn't just grab your logs and send them off.  Binds to a port for some reason.  By default it grabs 8089.

If you're in a decent sized environment, which if you can afford Splunk I assume you are, then you will probably find at least 1 existing app that is already using that port and that's where this post comes in.

The problem will present itself by you trying to start the Splunk service and the Splunk service telling you, "nope I am not starting."

First thing to check is the log file.  This can be found in the install directory under the var\log\splunk subfolders.  By default, the full path will be c:\program files\SplunkUniversalForwarder\var\log\splunk.



Once you're here, open up the splunkd.log file.  Scroll through for something listed as FATAL.  In our case, that shows HTTPServer - Could not bind to port 8089.  Now if you're feeling uber thorough, you can go check the bindings in IIS to see what is taking using that port, assuming it's a website that's already taking the port of course.



Now that we have confirmed the port is the problem, lets change splunk to use a different port.  To do this, we modify the web.conf files which by default is located in c:\program files\SplunkUniversalForwarder\etc\system\default.


Open up hte web.conf file and find the mgmtHostPort entry.  Easiest way of doing it would be to just search for 8089.


Once you have tracked that line down, just change the port number to what ever you want it to be and save the file.


Go back and try starting the service again.  You should now have a working forwarder happily sending data to your Splunk server for analysis.


As with anything you find on the Internet use this at your own risk.  Just because it worked for me doesn't mean it will work for you.

Comments

Post a Comment

Popular posts from this blog

Local Administrator Password Solution(LAPS)

Image
We have all come across it.  It's a problem as old as the computer itself.  Ever since those first few engineers sat around the PC and said, "Hey Frank, I can'y log in.  What's the password?"  I am of course talking about local admin passwords.  For what ever reason your local admin password will eventually leak out and when it does, it spreads quicker than rumors of free donuts in the break room. You may have combated this with a script that you run once a year that changes the local admin password.  The problem with this solution is that if a machine is turned off or remote then it won't get the script run against it.  You could put the script into a logon script but then your sticking a clear text version of the script onto your network somewhere. "Well, I just use GPO to deploy my passwords using Group Policy Preferences." I hear you say.  This I will agree was an excellent solution until https://technet.microsoft.com/en-us/library/se...
Read more

Error Connecting to Hyper-V Host

Image
Got yourself a Hyper-V host on a nice HP server and can't connect to it remotely from the Hyper-V manager?  You are not alone.  Assuming your error is something like the error below then I may be able to help. The WS-Management service cannot process the request.  The class Msvm_RegisteredProfile does not exist in the root/interop namespace. This has something to do with the HP tools messing with the registration of the MOF's.  All we need to do to fix it is register the MOF files.  To do this, open an administrative command prompt on the server and run the following command. MOFCOMP %SYSTEMROOT%\System32\WindowsVirtualization.V2.mof That will parse through the MOF file and register it on the system leaving you with the nice screenshot below. You should now be able to use your local Hyper-V console to connect to the server and manage away. As with anything you find on the Internet use this at your own risk.  Just because it...
Read more

MBAM Not BitLocking

Image
MBAM is installed,  group policies are set.  You install the MBAM client and nothing happens. First place to start is the Eventlog.  Open eventvwr.msc and browse through to ' Applications and Services Logs\Microsoft\Windows\MBAM' .  In my case I had 'TPM hardware is missing error' This was an easy one to sort out.  Just reboot, enter the BIOS and enable the TPM module.  Some manufacturers do offer tools to do this remotely so might be worth checking with your vendors on this one if you have a bunch of machines to do. Once the machine came back up it still wasn't encrypting the disk so back to the eventlog we go. This time I was presented with 'Unable to connect to the MBAM Recovery and Hardware service.  Access was denied by the remote endpoint.' For this one I started with checking access to the endpoint.  To do this open up regedit and browse to 'HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement' .  Copy...
Read more