These docs are for Cribl Stream 4.11 and are no longer actively maintained.
See the latest version (4.14).
Ports
Cribl Stream requires certain ports to be open, and additional ports are needed if you intend to use specific integrations or options to work.
Leader
In a Distributed deployment, the following ports must be open on the Leader Node. Ensure that the Leader is reachable on those ports from all Workers.
| Default Port | Protocol | Purpose | Direction | 
|---|---|---|---|
| 9000 | HTTP/S | Cribl Stream UI. | In | 
| 9000 | HTTP/S | Bootstrapping Worker Nodes from Leader (on-prem). | In | 
| 443 | HTTP/S | Bootstrapping Worker Nodes from Leader (Cribl.Cloud). | In | 
| 4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | In | 
| 4200 | HTTP/S | Software upgrade (via path, not CDN). | In | 
If you want to use proxy for communication between Leader and Worker Nodes, use SOCKS proxy instead of HTTP/S. You need to use SOCKS proxy, because HTTP/S proxies typically don’t support raw TCP sockets that Leader-Worker communication uses.
Workers
The following ports are used by Worker Nodes.
| Default Port | Protocol | Purpose | Direction | 
|---|---|---|---|
| 9000 | TCP | Cribl Stream UI. | In | 
| 9000 | HTTP/S | Communication with the Leader for bootstrapping (on-prem). | Out | 
| 443 | HTTP/S | Communication with the Leader for bootstrapping (hybrid deployment), and with https://cdn.cribl.ioto download configurations from CDN. | Out | 
| 4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | Out | 
| 4200 | HTTP/S | Config bundle downloads from the Leader. | Out | 
Other Ports
This section lists port allocations for specific transport protocols and other special purposes.
Common Ports
| Default Port | Protocol | Purpose | Direction | 
|---|---|---|---|
| 53 | UDP | DNS lookups. | Out | 
| 389 | TCP | LDAP Auth (non-TLS). | Out | 
| 443 | TCP | OIDC Auth (TLS); and Cribl Lake Destination on hybrid Worker Groups that you manage. | Out | 
| 636 | TCP | LDAP Auth (TLS). | Out | 
| 9002 | TCP | Browser access to the identity server when using Personal Identity Verification (PIV) authentication. | In | 
Integrations and Apps
Integrations with specific services, via Sources and Destinations or apps, might require opening dedicated ports on Worker Nodes.
The defaults are listed below. When configuring most Sources or Destinations, you can choose a different port. However, on hybrid Worker Groups that you manage, the Cribl Lake Destination is hard-coded to send outbound HTTP/S traffic through port 443.
| Default Port | Protocol | Purpose | Direction | 
|---|---|---|---|
| 162 | UDP | SNMP Trap collection (non-TLS). The preconfigured SNMP Trap Source listens on port 9162. | In | 
| 162 | UDP | SNMP Trap Destination (non-TLS). | Out | 
| 443 | HTTP/S | Collection from and output to multiple HTTPS-based Sources and Destinations. | In/Out | 
| 4317 | TCP | Collection from OpenTelemetry. | In | 
| 5986 | HTTP/S | Windows Event Forwarder Source. | In | 
| 8081 | TCP | Kafka Schema Registry. | Out | 
| 8088 | TCP | Splunk HEC input and output. | In/Out | 
| 8089 | TCP | Splunk Search. | In | 
| 8125 | TCP/UDP | Output to StatsD, StatsD Extended, and Graphite (non-TLS). | Out | 
| 9090 | TCP | Collection/discovery from Prometheus Scraper. | Out | 
| 9092 | TCP | Collection from Confluent Cloud or Kafka, used when no port is provided. | Out | 
| 9092 | TCP | Output to Confluent Cloud or Kafka, used when no port is provided. | Out | 
| 9093 | TCP | Output to Azure Event Hubs. | Out | 
| 9200 | HTTP/S | Elasticsearch API Source. | In | 
| 9997 | TCP | Splunk TCP Source. | Out | 
| 10000 | Splunk to Cribl Stream data port (Cribl App for Splunk). | In/Out | |
| 10070 | TCP | TCP JSON data. | In | 
| 10080 | TCP | Collection from HTTP JSON Sources. | In | 
| 10200 | HTTP/S | Cribl HTTP Destination. | In | 
| 10300 | TCP | Cribl TCP Destination. | In | 
| 10420 | | criblstreamSplunk search command to Cribl Stream (Cribl App for Splunk). | In/Out | 
Cribl.Cloud Ports
Cribl.Cloud provides a set of ports linked to Sources enabled by default for your Workspace. To view them:
- From your Cribl.Cloud Organization’s top bar, select Products.
- Then from the sidebar, select Cribl > Workspace, and then Data Sources.
Additionally, Cribl.Cloud makes the 20000 – 20010 port range available for configuring other Sources.
| Available Ports | Protocol | Purpose | Direction | 
|---|---|---|---|
| 20000–20010 | TCP | Additional Sources in Cribl.Cloud. | In | 
No other ports can be opened for Cribl-managed Worker Groups in Cribl.Cloud.
Overriding Default Ports
You can override the Cribl Stream UI port (9000), as well as other settings,
in the $CRIBL_HOME/local/cribl/cribl.yml configuration file.
The defaults are stored in $CRIBL_HOME/default/cribl/cribl.yml.