On Fri, 2018-09-07 at 09:20 -0400, Jonathan Billings wrote:
[root@bedrock ~]# netstat --listen --inet --program --numeric | grep syslog udp 0 0 0.0.0.0:51427 0.0.0.0:* 66655/rsyslogd
The 51427 is the ephemeral port on the client side of the UDP session. You can verify this by running tcpdump to capture traffic when a syslog message is passed.
Thanks, I was suspecting something like this as the only way to make that port disappear was to disable remote logging.
I suspect it's part of the UDP handshake that rsyslog uses for sending syslogs, but I'm not familiar enough with how it works to say definitively.
It was puzzling because I can't find any reference to this behavior in any documentation.
Since it's UDP, it's a sessionless protocol, so it's not strictly LISTENing, but with ss you can see it's UNCONN, which other daemons that *are* listening for UDP traffic also report.
Right, distinguishing between the listening and open in UDP is always somewhere between tedious and impossible. Perhaps I should investigate logging over TCP! :)
Anyway, I have something to write in the report now.