On Thu, 2018-09-06 at 15:10 -0400, Mike Burger wrote: > On 2018-09-06 14:06, Adam Tauno Williams wrote: > > Attempting to lookup why rsyslogd is listening on the high port > > UDP/51427. Have not succeeded in what this port is used for and > > what directive controls what interface it binds to. > > [root at bedrock ~]# netstat --listen --inet --program --numeric | > > grep syslog > > udp 0 0 0.0.0.0:51427 0.0.0.0:* 66655/rsyslogd > You might want to try running: > lsof -i -P | grep LISTEN | grep :51427 > to determine what process is actually listening to that port. That is what is strange; lsof does *not* see the port as listening, but it is visible if I search by inode [and it is clearly rsyslogd - but I cannot find any documentation indicating what this is]. [root at bedrock ~]# netstat --inet --program --numeric --listen | grep syslog udp 0 0 0.0.0.0:51427 0.0.0.0:* 66655/rsyslogd [root at bedrock ~]# lsof -i -P | grep LISTEN rpcbind 810 rpc 8u IPv4 19806 0t0 TCP *:111 (LISTEN) rpcbind 810 rpc 11u IPv6 19809 0t0 TCP *:111 (LISTEN) sshd 1156 root 3u IPv4 23045 0t0 TCP *:22 (LISTEN) sshd 1156 root 4u IPv6 23047 0t0 TCP *:22 (LISTEN) snmpd 1158 root 8u IPv4 26937 0t0 TCP localhost:199 (LISTEN) rpc.statd 1196 rpcuser 9u IPv4 24024 0t0 TCP *:662 (LISTEN) rpc.statd 1196 rpcuser 11u IPv6 24030 0t0 TCP *:662 (LISTEN) avagent.b 1431 root 4u IPv6 26892 0t0 TCP *:28002 (LISTEN) avagent.b 1431 root 6u IPv6 28867 0t0 TCP localhost:38061 (LISTEN) master 1535 root 13u IPv4 26579 0t0 TCP localhost:25 (LISTEN) master 1535 root 14u IPv6 26580 0t0 TCP localhost:25 (LISTEN) smbd 1663 root 35u IPv6 28676 0t0 TCP *:445 (LISTEN) smbd 1663 root 36u IPv4 28677 0t0 TCP *:445 (LISTEN) [root at bedrock ~]# netstat -e --inet --program --numeric --listen | grep syslog udp 0 0 0.0.0.0:51427 0.0.0.0:* 0 5032773 66655/rsyslogd [root at bedrock ~]# lsof | awk 'NR==1 || /5032773/' COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 66655 root 4u IPv4 5032773 0t0 UDP *:51427 in:imjour 66655 66657 root 4u IPv4 5032773 0t0 UDP *:51427 rs:main 66655 66658 root 4u IPv4 5032773 0t0 UDP *:51427 The port is closed on the firewall; but I file a report which includes every listening port and its justification. NOTE: rsyslog exhibits this behavior on every CentOS6 & CentOS7 host. And all our host log via rsyslogd via UDP/514 to a central NMS with a syslog receiver. -- Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 OpenGroupware Developer <http://www.opengroupware.us/>