When enabling the receiving function in a Splunk enterprise instance (indexer for example), it will be listening on port 9997 by default( changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.
My question here, i think i am missing something but,
**If a forwarder is a malicious or external one that can infect or disable the hole process by sending a massive storage ??**
**How can Splunk provide forwarding/receiving security (authentication / authorization ) ??**
↧