These docs are for Cribl Edge 4.4 and are no longer actively maintained.
See the latest version (4.13).
Ports
Cribl Edge requires certain ports to be open, and additional ports are needed if you intend to use specific integrations or options to work.
Leader
In a Distributed deployment, the following ports must be open on the Leader Node. Ensure that the Leader is reachable on those ports from all Edge Nodes.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9000 | HTTP/S | Cribl Edge UI. | In |
9000 | HTTP/S | Bootstrapping Fleets from Leader (on-prem). | In |
443 | HTTP/S | Bootstrapping Fleets from Leader (Cribl.Cloud). | In |
4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | In |
4200 | HTTP/S | Software upgrade (via path, not CDN). | In |
Edge Nodes
The following ports are used by Edge Nodes.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9420 | TCP | Cribl Edge UI. | In |
4200 | HTTP/S | Config bundle downloads. | Out |
4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | Out |
443 | TCP | (In Cribl.Cloud hybrid deployments) Communication with the Leader and with https://cdn.cribl.io. | Out |
Other Ports
Common Ports
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
53 | UDP | DNS lookups. | Out |
389 | TCP | LDAP Auth (non-TLS). | Out |
443 | TCP | OIDC Auth (TLS). | Out |
636 | TCP | LDAP Auth (TLS). | Out |
Integrations and Apps
Integrations with specific services via Sources and Destinations or apps may require opening dedicated ports on Edge Nodes.
The defaults are listed below, but when configuring each Source or Destination you can choose another port.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
162 | UDP | SNMP Trap collection (non-TLS). The preconfigured SNMP Trap Source listens on port 9162. | In |
162 | UDP | SNMP Trap Destination (non-TLS). | Out |
443 | HTTP/S | Collection from and output to multiple HTTPS-based Sources and Destinations. | In / Out |
4317 | TCP | Collection from OpenTelemetry. | In |
5986 | HTTP/S | Windows Event Forwarder Source. | In |
8081 | TCP | Kafka Schema Registry. | Out |
8088 | TCP | Splunk HEC output. | Out |
8089 | TCP | Splunk Search. | In |
8125 | TCP/UDP | Output to StatsD, StatsD Extended, and Graphite (non-TLS). | Out |
9090 | TCP | Collection / discovery from Prometheus Scraper. | Out |
9092 | TCP | Collection from Confluent Cloud or Kafka, used when no port is provided. | Out |
9092 | TCP | Output to Confluent Cloud or Kafka, used when no port is provided. | Out |
9093 | TCP | Output to Azure Event Hubs. | Out |
9997 | TCP | Splunk TCP Source. | Out |
10200 | HTTP/S | Cribl HTTP Destination. | In |
10300 | TCP | Cribl TCP Destination | In |
10080 | TCP | Collection from HTTP JSON Sources. | In |
Cribl.Cloud
Cribl.Cloud makes the 20000 – 20010 port range available for configuring additional Sources.
| Available Ports | Protocol | Purpose | Direction |
|---|---|---|---|
20000 – 20010 | TCP | Additional Sources in Cribl.Cloud. | In |