Ports
Cribl Stream requires certain ports to be open, and additional ports are needed if you intend to use specific integrations or options to work.
Leader
In a Distributed deployment, the following ports must be open on the Leader Node. Ensure that the Leader is reachable on those ports from all Workers.
In High Availability Leader proxy mode, UI/API traffic on port 9000 can be routed to either Leader; the standby transparently proxies requests to the elected primary Leader. For details, see Active-Active (Proxy) Mode for HA Leaders.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9000 | HTTP/S | Cribl Stream UI. | In |
9000 | HTTP/S | Bootstrapping Worker Nodes from Leader (on-prem). | In |
443 | HTTP/S | Bootstrapping Worker Nodes from Leader (Cribl.Cloud). | In |
4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). This traffic is separate from the Notifications feature and its external Notification targets such as email, PagerDuty, Slack, webhooks, or AWS SNS. | In |
4200 | HTTP/S | Software upgrade (via path, not CDN). | In |
If you want to use proxy for communication between Leader and Worker Nodes, use SOCKS proxy instead of HTTP/S. You need to use SOCKS proxy, because HTTP/S proxies typically don’t support raw TCP sockets that Leader-Worker communication uses.
External Notification targets: If you configure external Notification targets (for example, email, PagerDuty, webhooks, Slack, or AWS SNS), the Leader must be able to initiate outbound network connections to those services. Ensure your firewall rules allow outbound traffic from the Leader to each target endpoint over the ports and protocols required by that service (commonly HTTPS/443, or SMTP ports for email). Because these ports are target-specific, they are not listed individually here.
Outpost
The following port is used by Cribl Outpost.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9000 | TCP | Cribl Outpost UI. Login is disabled, but the Health endpoint is available. | In |
4200 | TCP | Communication between the Outpost and the Leader. | Out |
Workers
The following ports are used by Worker Nodes.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
9000 | TCP | Cribl Stream UI. | In |
9000 | HTTP/S | Communication with the Leader for bootstrapping (on-prem). | Out |
443 | HTTP/S | Communication with the Leader for bootstrapping (hybrid deployment), and with https://cdn.cribl.io to download configurations from CDN. | Out |
4200 | TCP | Heartbeat/Metrics/Leader requests/notifications to clients (for example: live captures, teleporting, status updates, config bundle notifications, and so on). | Out |
4200 | HTTP/S | Config bundle downloads from the Leader. | Out |
Other Ports
This section lists port allocations for specific transport protocols and other special purposes.
Common Ports
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
53 | UDP | DNS lookups. | Out |
389 | TCP | LDAP Auth (non-TLS). | Out |
443 | HTTP/S | OIDC Auth (TLS); and Cribl Lake Destination on hybrid Worker Groups that you manage. | Out |
636 | TCP | LDAP Auth (TLS). | Out |
9002 | TCP | Browser access to the identity server when using Personal Identity Verification (PIV) authentication. | In |
Integrations and Apps
Integrations with specific services, via Sources and Destinations or apps, might require opening dedicated ports on Worker Nodes.
The defaults are listed below. When configuring most Sources or Destinations, you can choose a different port. However, on hybrid Worker Groups that you manage, the Cribl Lake Destination is hard-coded to send outbound HTTP/S traffic through port 443.
| Default Port | Protocol | Purpose | Direction |
|---|---|---|---|
162 | UDP | SNMP Trap collection (non-TLS). The preconfigured SNMP Trap Source listens on port 9162. | In |
162 | UDP | SNMP Trap Destination (non-TLS). | Out |
443 | HTTP/S | Collection from and output to multiple HTTPS-based Sources and Destinations. | In/Out |
4317 | TCP | Collection from OpenTelemetry. | In |
5986 | HTTP/S | Windows Event Forwarder Source. | In |
8081 | TCP | Kafka Schema Registry. | Out |
8088 | TCP | Splunk HEC input and output. | In/Out |
8089 | TCP | Splunk Search. | In |
8125 | TCP/UDP | Output to StatsD, StatsD Extended, and Graphite (non-TLS). | Out |
9090 | TCP | Collection/discovery from Prometheus Scraper. | Out |
9092 | TCP | Collection from Confluent Cloud or Kafka, used when no port is provided. | Out |
9092 | TCP | Output to Confluent Cloud or Kafka, used when no port is provided. | Out |
9093 | TCP | Output to Azure Event Hubs. | Out |
9200 | HTTP/S | Elasticsearch API Source. | In |
9514 | TCP/UDP | Syslog Source. | In |
9997 | TCP | Splunk TCP Source. | Out |
10000 | Splunk to Cribl Stream data port (Cribl App for Splunk). | In/Out | |
10060 | TCP | TCP (Raw) data. | In |
10070 | TCP | TCP JSON data. | In |
10080 | TCP | Collection from HTTP JSON Sources. | In |
10200 | HTTP/S | Cribl HTTP Destination. | In |
10300 | TCP | Cribl TCP Destination. | In |
10420 | | criblstream Splunk search command to Cribl Stream (Cribl App for Splunk). | In/Out |
Cribl.Cloud Ports
Cribl.Cloud provides a set of ports linked to Sources enabled by default for your Workspace. To view them:
- From your Cribl.Cloud Organization’s top bar, select Products.
- Then from the sidebar, select Cribl > Workspace, and then Data Sources.
Additionally, Cribl.Cloud makes the 20000 - 20010 port range available for configuring other Sources.
| Available Ports | Protocol | Purpose | Direction |
|---|---|---|---|
443 | TCP | Mapped to 10443 internally. Pre-configured for Amazon Data Firehose, but can be reused for other TCP-based services. | In |
20000 - 20010 | TCP | Additional Sources in Cribl.Cloud. | In |
Reusing Port 443 for Other Services
External port 443 is transparently mapped by the load balancer to internal port 10443 on the Worker Group. While this port is pre-configured for Amazon Data Firehose by default, you can reuse it for other TCP-based services that require port 443 (such as DocuSign).
To use port 443 for a different service:
- Configure a Source to listen on port
10443internally. - External clients connect to your Cribl.Cloud endpoint on port
443, which the load balancer routes to port10443on the Worker.
If you’re already using Amazon Data Firehose on this port, you can still receive data from other services by differentiating traffic using a pre-processing Pipeline. For example, check for the presence of __firehose* fields or inspect __headers to identify the data Source.
No other custom ports can be opened for Cribl-managed Worker Groups in Cribl.Cloud beyond port
443and ports20000-20010.
Cribl Copilot Port
To use Cribl Copilot, your Cribl Stream deployment must be able to establish a connection to ai.cribl.cloud on port 443.
Overriding Default Ports
You can override the Cribl Stream UI port (9000), as well as other settings,
in the $CRIBL_HOME/local/cribl/cribl.yml configuration file.
The defaults are stored in $CRIBL_HOME/default/cribl/cribl.yml.