Port Assignments

A list of ports, directions, and description.

This section includes a list of ports:

LogLogic LMI processes that do not require ports are listed in the LogLogic LMI Processes that do not Require Ports section.

LogLogic LMI Port Assignments - inbound

Inbound port assignments are listed in the following table.

Port Socket Interface Transport Process Name Description LogLogic LMI or OS?
22 all (IPv4) tcp sshd CLI access for root/toor using Secure Shell (SSH) / TCP syslog and LLTCP with encryption. OS
80 all (IPv6) tcp java(Tomcat) HTTP access to the web GUI. Redirects to 443. LogLogic LMI
123 all (IPv4)

IPv6 local link

udp ntpd Network Time Protocol (NTP) service for using the appliance as a time source. OS
161 all (IPv4) udp snmpd Listens for poll requests by SNMP monitoring applications gathering SNMP-related info about appliance. OS
162 all (IPv4) udp engine_​trapcollector To receive SNMP traps from log sources. OS
443 all (IPv6) tcp java(Tomcat) HTTPS access to the web GUI. LogLogic LMI
514 all (IPv4) udp engine_collector Receives syslog (UDP syslog) messages. LogLogic LMI
514, 6514 all (IPv4) tcp engine_tcpcollector Receives syslog (TCP syslog) messages and TLS syslog messages. LogLogic LMI
2055

9555

9995

all tcp LogLogic LSP Collector LogLogic LSP Collector for Netflow LogLogic LMI
3306 all (IPv4) tcp mysqld MySQL database. LogLogic LMI
4400 all (IPv4) tcp engine_cluster_​​membership Rsync replication failover service (receives connection from peer node) (HA mode only). LogLogic LMI
4433 all (IPv4) tcp engine_http_​​collector http-based log collection (Blue Coat, NetApp, and so on) LogLogic LMI
4433 all (IPv6) tcp java (Tomcat) Management station: Used to receive updates from a remote appliance LogLogic LMI
5514 all (IPv4) tcp engine_rcollector ULDP prior to LogLogic LMI 5.2 LogLogic LMI
5514 all (IPv4) tcp engine_rcollector LogLogic TCP-based message routing. LogLogic LMI
5515 all (IPv4) tcp stunnel Secure ULDP collection. LogLogic LMI
5516 all (IPv4) tcp engine_​​uldpcollector ULDP for LogLogic LMI 5.2 and later. LogLogic LMI
7000 - 8000 localhost

(IPv4 & v6)

tcp ssh Used as the tunnel mechanism by engine_stunnel for forwarding to downstream appliances when authentication and encryption are enabled. Four ports are used at a time. The specific 4 ports used increment each time when a particular tunnel is started so that there are no conflicts. The first port of the set is for forwarding syslog traffic, the second port is for http data, the third is for file data using rcollector and the fourth is for Check Point data. LogLogic LMI
8080 all (IPv6) tcp java (Tomcat) Provides a destination for web browser redirects during LogLogic LMI upgrade. LogLogic LMI
9013 all (IPv6) tcp java Used for listening by TIBCO eventdistributor client. LogLogic LMI
9680 all tcp logu-web Webapp service LogLogic LMI
9681 all tcp logu-querynode Query node REST service LogLogic LMI
9683 all tcp logu-datanode Data node REST service LogLogic LMI
11965 default gw tcp ll_tunnel Message forwarding when using LogLogic TCP with encryption.

Note: This is deprecated for 5514/tcp w/o encryption and 22/tcp with encryption.

LogLogic LMI

LogLogic LMI Port Assignments - bidirectional

Bidirectional port assignments are listed in the following table.

Port Socket Interface Transport Process Name Description LogLogic LMI or OS?
9611 all tcp logu-datanode Data node ingest service LogLogic LMI
9620 all tcp logu-querynode Query node query service LogLogic LMI
9622 all tcp logu-datanode Data node streaming service LogLogic LMI
9626 all tcp logu-aggregationnode Aggregation node query service LogLogic LMI
9682 all tcp logu-correlationnode Correlation node REST service LogLogic LMI
9683 all tcp logu-datanode Distributed Advanced Search LogLogic LMI
9685 all tcp logu-aggregationnode Aggregation node REST service LogLogic LMI
9687 all tcp logu-monitoringconsole Monitoring console REST service LogLogic LMI
9688 all tcp logu-monitoringconsole Monitoring Console cluster service for the domain type LMI Domain LogLogic LMI
9690 - 9700 all tcp logu-monitoringconsole Recommended for use for additional domains in Monitoring Console LogLogic LMI
9880 all tcp logu-web WebApp HTTP: Redirect to HTTPS LogLogic LMI

LogLogic LMI Port Assignments - internal

Port Socket Interface Transport Process Name Description LogLogic LMI or OS?
199 localhost (IPv4) tcp snmpd SNMP Unix Multiplexer. OS
768 all (IPv4) raw engine_collector Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_highpri_​reader Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_lx_​scheduler Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_lx_parser Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_tcpcollector Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_​tcpforwarder Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_​trapcollector Used for internal logging LogLogic LMI
768 all (IPv4) raw engine_​uldpcollector Used for internal logging LogLogic LMI
1099 all (IPv6) tcp java (LogLogic LSP) Used for LogLogic LSP core communication to Java RMI registry. LogLogic LMI
1514 all (IPv6) udp engine_collector Used for logs with Domain ID LogLogic LMI
2098 all (IPv6) tcp java (MC Agent) Java RMI Registry service for Tomcat (only when MC Agent installed). LogLogic LMI
2099 all (IPv6) tcp java (MC Agent) Java instance listening for Shutdown/Reboot command (only when MC Agent installed). LogLogic LMI
2508 all (IPv6) tcp java (MC Agent) MCAgent LogLogic LMI
4401 all (IPv4) tcp engine_cluster_​​membership Cluster membership monitor (receives connection from cluster_membership and mysqld engines) (HA mode only). LogLogic LMI
8005 localhost (IPv6) tcp java (Tomcat) Tomcat administration port. LogLogic LMI
8180 localhost (IPv6) tcp java (MC Agent) SSH port for Karaf - (only when MC agent is installed). LogLogic LMI
9443 all tcp java (Tomcat) HTTPS Remote Control LogLogic LMI
9600 all (IPv4) tcp llzk Used by zookeper for configuration of Advanced Features LogLogic LMI
9621 all tcp logu-datanode Data node query service LogLogic LMI
31000 localhost (IPv6) tcp java (LogLogic LSP) LogLogic LSP Core. LogLogic LMI
32000 localhost tcp java (LogLogic LSP) Wrapper binary for LogLogic LSP. LogLogic LMI
32001 localhost tcp java (MC Agent) Wrapper binary for MC Agent (only when MC Agent installed). LogLogic LMI
32768-61000 all (IPv4) udp engine_archive Performs archiving on LogLogic ST Appliances. LogLogic LMI
32768-61000 all (IPv4) udp engine_collector Manages real-time syslog collection LogLogic LMI
32768-61000 all (IPv4) udp engine_filecollector Manages file Xfer rules, deep parses file-based log data, assists with forwarding of file-data. LogLogic LMI
32768-61000 all (IPv4) udp engine_highpri_​reader Handles message forwarding, search filter alerts (LogLogic LX Appliance only), real-time view feeds. LogLogic LMI
32768-61000 all (IPv4) udp engine_lx_​scheduler Handles periodic tasks such as aggregation, cleanup, alerts. LogLogic LMI
32768-61000 all (IPv4) udp engine_rsender Handles forwarding when LogLogic TCP is used as the protocol. LogLogic LMI
32768-61000 all (IPv4) udp engine_st_reporter Handles regex searches. LogLogic LMI
32768-61000 all (IPv4) udp engine_syslog Replays /var/log/sys.log file back into UDP collector so we can parse our own syslog messages. LogLogic LMI
32768-61000 all (IPv4) udp engine_sysmon Monitors system and issues system alerts. Monitors memory, system load avg, # of zombie processes and logs to sys.log file every 5 minutes. LogLogic LMI
32768-61000 all (IPv4) udp engine_tcpcollector Involved in collection when using syslog-ng (TCP syslog). LogLogic LMI
32768-61000 all (IPv4) udp engine_​tcpforwarder Used for internal logging LogLogic LMI
32768-61000 all (IPv4) udp engine_​trapcollector Used for internal logging LogLogic LMI
32768-61000 all (IPv4) udp engine_​uldpcollector Process and forward SNMP traps to remote hosts. LogLogic LMI

LogLogic LMI Outbound Port Assignments

Outbound port assignments are listed in the following table.

Dest Port Socket Interface Transport Process Name Description LogLogic LMI or OS?
22 default gateway tcp ssh SSH-based backups OS
25 default gateway tcp llmail, msmtp, or Tomcat Sends emails to an SMTP server. The process used is dictated by what is being sent (alerts, reports, and so on). LogLogic LMI
49 default gateway tcp java (Tomcat) TACACS authentication (but no authorization) for users. LogLogic LMI
68 all (IPv4) udp dhclient Manages DHCP client IP settings. LogLogic LMI
88 default gateway udp java (Tomcat) Kerberos feature when using LDAP. LogLogic LMI
111 default gateway tcp Sun RPC portmapper LogLogic LMI NFS backups and archiving: mount command communicates to Sun RPC Port mapper to get port # for mountd (NFS v3 only) OS
111 default gateway udp Sun RPC portmapper LogLogic LMI NFS backups and archiving: mount command communicates to Sun RPC Port mapper to get port # for mountd (NFS v3 only) OS
123 default gateway udp ntpd Network Time Protocol (NTP) service for using the appliance as a time source. OS
389 default gateway tcp java (Tomcat) LDAP to Active Directory. LogLogic LMI
636 default gateway tcp java (Tomcat) LDAP to Active Directory. LogLogic LMI
>1023 default gateway tcp various Interact with multiple server daemons (statd, lockd, rquotad, mountd) for using NFS. OS
1433 default gateway tcp java (LogLogic LSP) Microsoft SQL Server JDBC or GDBC collection (with and without TLS enabled) LogLogic LMI
1521 default gateway tcp java (LogLogic LSP) Oracle Database JDBC or GDBC collection (when TLS is disabled) LogLogic LMI
1812 default gateway tcp java (Tomcat) RADIUS LogLogic LMI
2049 default gateway tcp nfs LogLogic LMI NFS (v3) backups and archiving: data transfer occurs using this port.

v4 supported from version 6.2.0. v4 uses this port for mounting, locking, and data transfer.

OS
2484 default gateway tcp nfs Oracle database GDBC collection (only when TLS is enabled) OS
2561 default gateway tcp java (Hawk console node) Hawk console to Hawk TCP daemon on agents LogLogic LMI
2581 default gateway tcp java (Hawk console node) Hawk console self host LogLogic LMI
3306 default gateway tcp java (LogLogic LSP) MySQL Database GDBC collection. LogLogic LMI
4433 all (IPv4) tcp engine_http_​​collector File-based message routing LogLogic LMI
4433 all (IPv6) tcp java (Tomcat) Management station: Used to send requests to a remote appliance. LogLogic LMI
7222 default gateway tcp LLCollectors TIBCO Enterprise Message Service™ collection (TLS disabled) LogLogic LMI
7243 default gateway tcp LLCollectors TIBCO Enterprise Message Service™ collection (TLS enabled) LogLogic LMI
9000 all tcp engine_​filecollector Used by HDFS client to connect to HDFS cluster. See how to change the port number. LogLogic LMI
9092 default gateway tcp LLCollectors Apache Kafka (TLS disabled) LogLogic LMI
9093 default gateway tcp LLCollectors Apache Kafka (TLS enabled) LogLogic LMI
9600 all (IPv4) tcp llzk Used by ZooKeeper LogLogic LMI
18184 default gateway tcp chkpt_agent Used by LEA for log export from LEA server. LogLogic LMI
18190 default gateway tcp chkpt_agent Used by CheckPoint Mgmt Interface (CPMI) for communication between LogLogic LMI and Mgmt Module. LogLogic LMI
18210 default gateway tcp chkpt_agent Used by Secure Internal Communication (SIC) for pulling certificates from Mgmt Module. LogLogic LMI
32768-61000 all (IPv4) tcp engine_​tcpforwarder Perform message routing when using syslog-ng (TCP syslog). LogLogic LMI
dynamic port default gateway tcp rpc.mountd NFS sharing: port used by the mount command over TCP outbound to an NFS server OS
dynamic port default gateway tcp NFS client NFS file sharing: used for file locking OS
dynamic port default gateway udp NFS client Used by NFS v3 to access the rpc.mountd service on the NFS server for performing the actual mount operation OS
dynamic port default gateway udp NFS client Used by NFS v3 to access the rpc.lockd service on the NFS server to acquire a file lock when accessing archived data OS

LogLogic LMI Processes that do not Require Ports

The following LogLogic LMI processes do not need to bind to any port for accepting data from other components.

Process Description
engine_alerting Manages some types of alerts such as baseline ratio-based, message rate alerts, and so on
engine_backup Mirrors the existing data stores (MySQL database, raw logs in /loglogic/data/vol1, system configuration files) to a remote host.
engine_cluster_monitor Monitors the replication of data and the replication configuration, and restarts it if it does not respond.
engine_mysqld Monitors mysqld and restarts it if it does not respond
engine_ntp Monitors ntp and restarts it if it does not respond.
engine_tcp_scheduler Monitors the data files created by engine_rsender in /loglogic/data/rsender/ready so they can be transmitted to their destination.
ll_opsec_manager Manages OPSEC suite of protocols for Check Point log sources. Uses chkpt_agent for the actual work and manages the startup and shutdown of those agent processes.