Ports
Learn which ports need to be open for Cribl Edge and its integrations to function.
Cribl Edge requires certain ports to be open, and additional ports are needed if you intend to use specific integrations or options to work.
Leader
In a Distributed deployment, the following ports must be open on the Leader Node. Ensure that the Leader is reachable on those ports from all Edge Nodes.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9000 | HTTP/S | Cribl Edge UI. | In |
9000 | HTTP/S | Bootstrapping Fleets from Leader (on-prem). | In |
443 | HTTP/S | Bootstrapping Fleets from Leader (Cribl.Cloud). | In |
4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | In |
4200 | HTTP/S | Software upgrade (via path, not CDN). | In |
Outpost
The following port is used by Cribl Outpost.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9000 | TCP | Cribl Outpost UI. Login is disabled, but the Health endpoint is available. | In |
4200 | TCP | Communication between the Outpost and the Leader. | Out |
Edge Nodes
The following ports are used by Edge Nodes.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9420 | TCP | Cribl Edge UI. | In |
9000 | HTTP/S | Communication with the Leader for bootstrapping (on-prem). | Out |
443 | HTTP/S | Communication with the Leader for bootstrapping (hybrid deployment), and with https://cdn.cribl.io to download configurations from CDN. | Out |
4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | Out |
4200 | HTTP/S | Config bundle downloads from the Leader. | Out |
Other Ports
Common Ports
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
53 | UDP | DNS lookups. | Out |
389 | TCP | LDAP Auth (non-TLS). | Out |
443 | HTTP/S | OIDC Auth (TLS). | Out |
636 | TCP | LDAP Auth (TLS). | Out |
Integrations and Apps
Integrations with specific services via Sources and Destinations or apps may require opening dedicated ports on Edge Nodes.
The defaults are listed below, but when configuring each Source or Destination you can choose another port.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
162 | UDP | SNMP Trap collection (non-TLS). The preconfigured SNMP Trap Source listens on port 9162. | In |
162 | UDP | SNMP Trap Destination (non-TLS). | Out |
443 | HTTP/S | Collection from and output to multiple HTTPS-based Sources and Destinations. | In / Out |
4317 | TCP | Collection from OpenTelemetry. | In |
5986 | HTTP/S | Windows Event Forwarder Source. | In |
8081 | TCP | Kafka Schema Registry. | Out |
8088 | TCP | Splunk HEC input and output. | In/Out |
8089 | TCP | Splunk Search. | In |
8125 | TCP/UDP | Output to StatsD, StatsD Extended, and Graphite (non-TLS). | Out |
9090 | TCP | Collection/discovery from Prometheus Scraper. | Out |
9092 | TCP | Output to Confluent Cloud or Kafka, used when no port is provided. | Out |
9093 | TCP | Output to Azure Event Hubs. | Out |
9200 | HTTP/S | Elasticsearch API Source. | In |
9514 | TCP/UDP | Syslog Source. | In |
9997 | TCP | Splunk TCP Source. | Out |
10060 | TCP | TCP (Raw) data. | In |
10070 | TCP | TCP JSON data. | In |
10080 | TCP | Collection from HTTP JSON Sources. | In |
10200 | HTTP/S | Cribl HTTP Destination. | In |
10300 | TCP | Cribl TCP Destination. | In |
Cribl.Cloud
Cribl.Cloud provides a set of ports linked to Sources enabled by default for your Workspace. To view them:
- From your Cribl.Cloud Organization’s top bar, select Products.
- Then from the sidebar, select Cribl > Workspace, and then Data Sources.
Additionally, Cribl.Cloud makes the 20000 - 20010 port range available for configuring other Sources.
| Available Ports | Protocol | Purpose | Direction |
|---|---|---|---|
443 | TCP | Mapped to 10443 internally. Pre-configured for Amazon Data Firehose, but can be reused for other TCP-based services. | In |
20000 - 20010 | TCP | Additional Sources in Cribl.Cloud. | In |
Reusing Port 443 for Other Services
External port 443 is transparently mapped by the load balancer to internal port 10443 on the Worker Group. While this port is pre-configured for Amazon Data Firehose by default, you can reuse it for other TCP-based services that require port 443 (such as DocuSign).
To use port 443 for a different service:
- Configure a Source to listen on port
10443internally. - External clients connect to your Cribl.Cloud endpoint on port
443, which the load balancer routes to port10443on the Worker.
If you’re already using Amazon Data Firehose on this port, you can still receive data from other services by differentiating traffic using a pre-processing Pipeline. For example, check for the presence of __firehose* fields or inspect __headers to identify the data source.
No other custom ports can be opened for Cribl-managed Worker Groups in Cribl.Cloud beyond port
443and ports20000-20010.
Cribl Copilot Port
To use Cribl Copilot, your Cribl Edge deployment must be able to establish a connection to ai.cribl.cloud on port 443.