Port Assignments
A list of ports, directions, and description.
LogLogic LMI processes that do not require ports are listed in the LogLogic LMI Processes that do not Require Ports section.
LogLogic LMI Port Assignments - inbound
Inbound port assignments are listed in the following table.
Port | Socket Interface | Transport | Process Name | Description | LogLogic LMI or OS? |
---|---|---|---|---|---|
22 | all (IPv4) | tcp | sshd | CLI access for root/toor using Secure Shell (SSH) / TCP syslog and LLTCP with encryption. | OS |
80 | all (IPv6) | tcp | java(Tomcat) | HTTP access to the web GUI. Redirects to 443. | LogLogic LMI |
123 | all (IPv4)
IPv6 local link |
udp | ntpd | Network Time Protocol (NTP) service for using the appliance as a time source. | OS |
161 | all (IPv4) | udp | snmpd | Listens for poll requests by SNMP monitoring applications gathering SNMP-related info about appliance. | OS |
162 | all (IPv4) | udp | engine_trapcollector | To receive SNMP traps from log sources. | OS |
443 | all (IPv6) | tcp | java(Tomcat) | HTTPS access to the web GUI. | LogLogic LMI |
514 | all (IPv4) | udp | engine_collector | Receives syslog (UDP syslog) messages. | LogLogic LMI |
514, 6514 | all (IPv4) | tcp | engine_tcpcollector | Receives syslog (TCP syslog) messages and TLS syslog messages. | LogLogic LMI |
2055
9555 9995 |
all | tcp | LogLogic LSP Collector | LogLogic LSP Collector for Netflow | LogLogic LMI |
3306 | all (IPv4) | tcp | mysqld | MySQL database. | LogLogic LMI |
4400 | all (IPv4) | tcp | engine_cluster_membership | Rsync replication failover service (receives connection from peer node) (HA mode only). | LogLogic LMI |
4433 | all (IPv4) | tcp | engine_http_collector | http-based log collection (Blue Coat, NetApp, and so on) | LogLogic LMI |
4433 | all (IPv6) | tcp | java (Tomcat) | Management station: Used to receive updates from a remote appliance | LogLogic LMI |
5514 | all (IPv4) | tcp | engine_rcollector | ULDP prior to LogLogic LMI 5.2 | LogLogic LMI |
5514 | all (IPv4) | tcp | engine_rcollector | LogLogic TCP-based message routing. | LogLogic LMI |
5515 | all (IPv4) | tcp | stunnel | Secure ULDP collection. | LogLogic LMI |
5516 | all (IPv4) | tcp | engine_uldpcollector | ULDP for LogLogic LMI 5.2 and later. | LogLogic LMI |
7000 - 8000 | localhost
(IPv4 & v6) |
tcp | ssh | Used as the tunnel mechanism by engine_stunnel for forwarding to downstream appliances when authentication and encryption are enabled. Four ports are used at a time. The specific 4 ports used increment each time when a particular tunnel is started so that there are no conflicts. The first port of the set is for forwarding syslog traffic, the second port is for http data, the third is for file data using rcollector and the fourth is for Check Point data. | LogLogic LMI |
8080 | all (IPv6) | tcp | java (Tomcat) | Provides a destination for web browser redirects during LogLogic LMI upgrade. | LogLogic LMI |
9013 | all (IPv6) | tcp | java | Used for listening by TIBCO eventdistributor client. | LogLogic LMI |
9680 | all | tcp | logu-web | Webapp service | LogLogic LMI |
9681 | all | tcp | logu-querynode | Query node REST service | LogLogic LMI |
9683 | all | tcp | logu-datanode | Data node REST service | LogLogic LMI |
11965 | default gw | tcp | ll_tunnel | Message forwarding when using LogLogic TCP with encryption.
Note: This is deprecated for 5514/tcp w/o encryption and 22/tcp with encryption. |
LogLogic LMI |
LogLogic LMI Port Assignments - bidirectional
Bidirectional port assignments are listed in the following table.
Port | Socket Interface | Transport | Process Name | Description | LogLogic LMI or OS? |
---|---|---|---|---|---|
9611 | all | tcp | logu-datanode | Data node ingest service | LogLogic LMI |
9620 | all | tcp | logu-querynode | Query node query service | LogLogic LMI |
9622 | all | tcp | logu-datanode | Data node streaming service | LogLogic LMI |
9626 | all | tcp | logu-aggregationnode | Aggregation node query service | LogLogic LMI |
9682 | all | tcp | logu-correlationnode | Correlation node REST service | LogLogic LMI |
9683 | all | tcp | logu-datanode | Distributed Advanced Search | LogLogic LMI |
9685 | all | tcp | logu-aggregationnode | Aggregation node REST service | LogLogic LMI |
9687 | all | tcp | logu-monitoringconsole | Monitoring console REST service | LogLogic LMI |
9688 | all | tcp | logu-monitoringconsole | Monitoring Console cluster service for the domain type
LMI Domain |
LogLogic LMI |
9690 - 9700 | all | tcp | logu-monitoringconsole | Recommended for use for additional domains in Monitoring Console | LogLogic LMI |
9880 | all | tcp | logu-web | WebApp HTTP: Redirect to HTTPS | LogLogic LMI |
LogLogic LMI Port Assignments - internal
Port | Socket Interface | Transport | Process Name | Description | LogLogic LMI or OS? |
---|---|---|---|---|---|
199 | localhost (IPv4) | tcp | snmpd | SNMP Unix Multiplexer. | OS |
768 | all (IPv4) | raw | engine_collector | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_highpri_reader | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_lx_scheduler | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_lx_parser | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_tcpcollector | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_tcpforwarder | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_trapcollector | Used for internal logging | LogLogic LMI |
768 | all (IPv4) | raw | engine_uldpcollector | Used for internal logging | LogLogic LMI |
1099 | all (IPv6) | tcp | java (LogLogic LSP) | Used for LogLogic LSP core communication to Java RMI registry. | LogLogic LMI |
1514 | all (IPv6) | udp | engine_collector | Used for logs with Domain ID | LogLogic LMI |
2098 | all (IPv6) | tcp | java (MC Agent) | Java RMI Registry service for Tomcat (only when MC Agent installed). | LogLogic LMI |
2099 | all (IPv6) | tcp | java (MC Agent) | Java instance listening for Shutdown/Reboot command (only when MC Agent installed). | LogLogic LMI |
2508 | all (IPv6) | tcp | java (MC Agent) | MCAgent | LogLogic LMI |
4401 | all (IPv4) | tcp | engine_cluster_membership | Cluster membership monitor (receives connection from cluster_membership and mysqld engines) (HA mode only). | LogLogic LMI |
8005 | localhost (IPv6) | tcp | java (Tomcat) | Tomcat administration port. | LogLogic LMI |
8180 | localhost (IPv6) | tcp | java (MC Agent) | SSH port for Karaf - (only when MC agent is installed). | LogLogic LMI |
9443 | all | tcp | java (Tomcat) | HTTPS Remote Control | LogLogic LMI |
9600 | all (IPv4) | tcp | llzk | Used by zookeper for configuration of Advanced Features | LogLogic LMI |
9621 | all | tcp | logu-datanode | Data node query service | LogLogic LMI |
31000 | localhost (IPv6) | tcp | java (LogLogic LSP) | LogLogic LSP Core. | LogLogic LMI |
32000 | localhost | tcp | java (LogLogic LSP) | Wrapper binary for LogLogic LSP. | LogLogic LMI |
32001 | localhost | tcp | java (MC Agent) | Wrapper binary for MC Agent (only when MC Agent installed). | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_archive | Performs archiving on LogLogic ST Appliances. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_collector | Manages real-time syslog collection | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_filecollector | Manages file Xfer rules, deep parses file-based log data, assists with forwarding of file-data. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_highpri_reader | Handles message forwarding, search filter alerts (LogLogic LX Appliance only), real-time view feeds. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_lx_scheduler | Handles periodic tasks such as aggregation, cleanup, alerts. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_rsender | Handles forwarding when LogLogic TCP is used as the protocol. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_st_reporter | Handles regex searches. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_syslog | Replays /var/log/sys.log file back into UDP collector so we can parse our own syslog messages. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_sysmon | Monitors system and issues system alerts. Monitors memory, system load avg, # of zombie processes and logs to sys.log file every 5 minutes. | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_tcpcollector | Involved in collection when using syslog-ng (TCP syslog). | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_tcpforwarder | Used for internal logging | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_trapcollector | Used for internal logging | LogLogic LMI |
32768-61000 | all (IPv4) | udp | engine_uldpcollector | Process and forward SNMP traps to remote hosts. | LogLogic LMI |
LogLogic LMI Outbound Port Assignments
Outbound port assignments are listed in the following table.
Dest Port | Socket Interface | Transport | Process Name | Description | LogLogic LMI or OS? |
---|---|---|---|---|---|
22 | default gateway | tcp | ssh | SSH-based backups | OS |
25 | default gateway | tcp | llmail, msmtp, or Tomcat | Sends emails to an SMTP server. The process used is dictated by what is being sent (alerts, reports, and so on). | LogLogic LMI |
49 | default gateway | tcp | java (Tomcat) | TACACS authentication (but no authorization) for users. | LogLogic LMI |
68 | all (IPv4) | udp | dhclient | Manages DHCP client IP settings. | LogLogic LMI |
88 | default gateway | udp | java (Tomcat) | Kerberos feature when using LDAP. | LogLogic LMI |
111 | default gateway | tcp | Sun RPC portmapper | LogLogic LMI NFS backups and archiving: mount command communicates to Sun RPC Port mapper to get port # for mountd (NFS v3 only) | OS |
111 | default gateway | udp | Sun RPC portmapper | LogLogic LMI NFS backups and archiving: mount command communicates to Sun RPC Port mapper to get port # for mountd (NFS v3 only) | OS |
123 | default gateway | udp | ntpd | Network Time Protocol (NTP) service for using the appliance as a time source. | OS |
389 | default gateway | tcp | java (Tomcat) | LDAP to Active Directory. | LogLogic LMI |
636 | default gateway | tcp | java (Tomcat) | LDAP to Active Directory. | LogLogic LMI |
>1023 | default gateway | tcp | various | Interact with multiple server daemons (statd, lockd, rquotad, mountd) for using NFS. | OS |
1433 | default gateway | tcp | java (LogLogic LSP) | Microsoft SQL Server JDBC or GDBC collection (with and without TLS enabled) | LogLogic LMI |
1521 | default gateway | tcp | java (LogLogic LSP) | Oracle Database JDBC or GDBC collection (when TLS is disabled) | LogLogic LMI |
1812 | default gateway | tcp | java (Tomcat) | RADIUS | LogLogic LMI |
2049 | default gateway | tcp | nfs | LogLogic LMI NFS (v3) backups and archiving: data transfer occurs using this port.
v4 supported from version 6.2.0. v4 uses this port for mounting, locking, and data transfer. |
OS |
2484 | default gateway | tcp | nfs | Oracle database GDBC collection (only when TLS is enabled) | OS |
2561 | default gateway | tcp | java (Hawk console node) | Hawk console to Hawk TCP daemon on agents | LogLogic LMI |
2581 | default gateway | tcp | java (Hawk console node) | Hawk console self host | LogLogic LMI |
3306 | default gateway | tcp | java (LogLogic LSP) | MySQL Database GDBC collection. | LogLogic LMI |
4433 | all (IPv4) | tcp | engine_http_collector | File-based message routing | LogLogic LMI |
4433 | all (IPv6) | tcp | java (Tomcat) | Management station: Used to send requests to a remote appliance. | LogLogic LMI |
7222 | default gateway | tcp | LLCollectors | TIBCO Enterprise Message Service™ collection (TLS disabled) | LogLogic LMI |
7243 | default gateway | tcp | LLCollectors | TIBCO Enterprise Message Service™ collection (TLS enabled) | LogLogic LMI |
9000 | all | tcp | engine_filecollector | Used by HDFS client to connect to HDFS cluster. See how to change the port number. | LogLogic LMI |
9092 | default gateway | tcp | LLCollectors | Apache Kafka (TLS disabled) | LogLogic LMI |
9093 | default gateway | tcp | LLCollectors | Apache Kafka (TLS enabled) | LogLogic LMI |
9600 | all (IPv4) | tcp | llzk | Used by ZooKeeper | LogLogic LMI |
18184 | default gateway | tcp | chkpt_agent | Used by LEA for log export from LEA server. | LogLogic LMI |
18190 | default gateway | tcp | chkpt_agent | Used by CheckPoint Mgmt Interface (CPMI) for communication between LogLogic LMI and Mgmt Module. | LogLogic LMI |
18210 | default gateway | tcp | chkpt_agent | Used by Secure Internal Communication (SIC) for pulling certificates from Mgmt Module. | LogLogic LMI |
32768-61000 | all (IPv4) | tcp | engine_tcpforwarder | Perform message routing when using syslog-ng (TCP syslog). | LogLogic LMI |
dynamic port | default gateway | tcp | rpc.mountd | NFS sharing: port used by the mount command over TCP outbound to an NFS server | OS |
dynamic port | default gateway | tcp | NFS client | NFS file sharing: used for file locking | OS |
dynamic port | default gateway | udp | NFS client | Used by NFS v3 to access the rpc.mountd service on the NFS server for performing the actual mount operation | OS |
dynamic port | default gateway | udp | NFS client | Used by NFS v3 to access the rpc.lockd service on the NFS server to acquire a file lock when accessing archived data | OS |
LogLogic LMI Processes that do not Require Ports
The following LogLogic LMI processes do not need to bind to any port for accepting data from other components.
Process | Description |
---|---|
engine_alerting | Manages some types of alerts such as baseline ratio-based, message rate alerts, and so on |
engine_backup | Mirrors the existing data stores (MySQL database, raw logs in /loglogic/data/vol1, system configuration files) to a remote host. |
engine_cluster_monitor | Monitors the replication of data and the replication configuration, and restarts it if it does not respond. |
engine_mysqld | Monitors mysqld and restarts it if it does not respond |
engine_ntp | Monitors ntp and restarts it if it does not respond. |
engine_tcp_scheduler | Monitors the data files created by engine_rsender in /loglogic/data/rsender/ready so they can be transmitted to their destination. |
ll_opsec_manager | Manages OPSEC suite of protocols for Check Point log sources. Uses chkpt_agent for the actual work and manages the startup and shutdown of those agent processes. |