Quick Tips: Listening to Your Linux-based Splunk Installation Ports

By |Published On: May 26th, 2022|

Have you ever found yourself wondering what ports your Linux-based Splunk installation was listening on, but weren’t sure how to go about finding out? 

Common advice for solving this problem is to use either the netstat or ss command with the ‘-p’ flag to show program names and grep for the name of the process.

Copy to Clipboard

However, Splunk runs as multiple processes rather than a single one, and not all of those processes have “splunk” in the name. In addition to the processes built into Splunk, apps can also be installed that may open their own listening port, which grepping for “splunk” will also not find. 

So, what can we do?

On a modern Linux system, the lsof command will list all of the open files that various processes have open. Because Linux treats sockets as files just like it does everything else, we can use specific flags to the lsof command to list all of the listening TCP and UDP ports, then filter out only those that belong to the “splunk” user using the common awk utility.

Copy to Clipboard

Conclusion

Using this method, you can be more confident about catching every possible process running as the dedicated service account for Splunk. You may even find that a previous Splunk administrator has set up other listening processes that are unrelated to Splunk but still run as the same user that you may not have known about!

Happy Splunking!

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.