About management mode for the universal forwarder
The management mode feature for the universal forwarder is available for versions 9.1.0 and higher to improve security. You can control how CLI commands and local REST API calls communicate with the splunkd process through the management mode feature. You can configure how the universal forwarder communicates, either through Transmission Control Protocol (TCP) or Unix Domain Sockets (UDS). The default management mode is auto, which uses UDS if it is available on your operating system.
UDS-supported operating systems
UDS is available on the following operating systems:
- Linux
- macOS
- Windows Server 2019 and higher
- Windows 10 build 17063 and higher
For operating systems that don't support UDS, TCP is used instead.
Types of management modes
The following table lists the types of management modes:
| Mode | Function |
|---|---|
| auto | CLI commands and local REST API calls communicate with the splunkd process through UDS if UDS is supported. If UDS is not supported, TCP is used instead.
|
| tcp | CLI commands and local REST API calls communicate with the splunkd process through the management port bound to localhost.
|
| none | CLI commands and local REST API calls are restricted from communicating through the management port. |
Check and change your management mode
To check all applicable configurations in your management mode, run the following command:
./splunk btool server list --debug | egrep "disableDefaultPort|mgmtMode"
To change your management mode, follow these steps:
- Navigate to the server.conf file in the $SPLUNK_HOME/etc/system/local/ folder.
- Set the
mgmtModeparameter to your desired mode. - Restart the Splunk platform by running the
./splunk restartcommand.