Does the cribl Stream leader do anything on port 3128?
Sounds like a proxy?
yea im pretty sure what we're seeing is the aws squid proxy. But our security guys are hunting down anything else that might be using that port.
I don't think cribl uses that port by default, you must deliberately configure a proxy. ie for the cribl telemetry endpoint or other external calls.
Got it, thanks.
Stream leader only uses 9000 and 4200 for inbound connections. See https://docs.cribl.io/stream/deploy-distributed#port-requirements