[CentOS] rsyslog listening on high port

Fri Sep 7 10:32:57 UTC 2018
Adam Tauno Williams <awilliam at whitemice.org>

On Thu, 2018-09-06 at 15:10 -0400, Mike Burger wrote:
> On 2018-09-06 14:06, Adam Tauno Williams wrote:
> > Attempting to lookup why rsyslogd is listening on the high port
> > UDP/51427.    Have not succeeded in what this port is used for and
> > what directive controls what interface it binds to.
> > [root at bedrock ~]# netstat --listen --inet --program --numeric |
> > grep syslog
> > udp  0  0 0.0.0.0:51427  0.0.0.0:*   66655/rsyslogd 
> You might want to try running:
> lsof -i -P | grep LISTEN | grep :51427
> to determine what process is actually listening to that port.

That is what is strange;  lsof does *not* see the port as listening,
but it is visible if I search by inode [and it is clearly rsyslogd -
but I cannot find any documentation indicating what this is].

[root at bedrock ~]# netstat --inet --program --numeric --listen | grep syslog
udp        0      0 0.0.0.0:51427           0.0.0.0:*        66655/rsyslogd
[root at bedrock ~]# lsof -i -P | grep LISTEN 
rpcbind     810      rpc    8u  IPv4   19806      0t0  TCP *:111 (LISTEN)
rpcbind     810      rpc   11u  IPv6   19809      0t0  TCP *:111 (LISTEN)
sshd       1156     root    3u  IPv4   23045      0t0  TCP *:22 (LISTEN)
sshd       1156     root    4u  IPv6   23047      0t0  TCP *:22 (LISTEN)
snmpd      1158     root    8u  IPv4   26937      0t0  TCP localhost:199 (LISTEN)
rpc.statd  1196  rpcuser    9u  IPv4   24024      0t0  TCP *:662 (LISTEN)
rpc.statd  1196  rpcuser   11u  IPv6   24030      0t0  TCP *:662 (LISTEN)
avagent.b  1431     root    4u  IPv6   26892      0t0  TCP *:28002 (LISTEN)
avagent.b  1431     root    6u  IPv6   28867      0t0  TCP localhost:38061 (LISTEN)
master     1535     root   13u  IPv4   26579      0t0  TCP localhost:25 (LISTEN)
master     1535     root   14u  IPv6   26580      0t0  TCP localhost:25 (LISTEN)
smbd       1663     root   35u  IPv6   28676      0t0  TCP *:445 (LISTEN)
smbd       1663     root   36u  IPv4   28677      0t0  TCP *:445 (LISTEN)
[root at bedrock ~]# netstat -e --inet --program --numeric --listen | grep syslog
udp        0      0 0.0.0.0:51427           0.0.0.0:*   0    5032773    66655/rsyslogd
[root at bedrock ~]# lsof | awk 'NR==1 || /5032773/'
COMMAND     PID   TID     USER   FD   TYPE        DEVICE  SIZE/OFF  NODE NAME
rsyslogd  66655           root    4u  IPv4       5032773       0t0  UDP *:51427 
in:imjour 66655 66657     root    4u  IPv4       5032773       0t0  UDP *:51427 
rs:main   66655 66658     root    4u  IPv4       5032773       0t0  UDP *:51427 

The port is closed on the firewall; but I file a report which includes
every listening port and its justification.

NOTE:  rsyslog exhibits this behavior on every CentOS6 & CentOS7 host. 
And all our host log via rsyslogd via UDP/514 to a central NMS with a
syslog receiver.


-- 
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
OpenGroupware Developer <http://www.opengroupware.us/>