[CentOS] rsyslog listening on high port

Fri Sep 7 13:20:13 UTC 2018
Jonathan Billings <billings at negate.org>

On Thu, Sep 06, 2018 at 02:06:37PM -0400, Adam Tauno Williams wrote:
>
> Attempting to lookup why rsyslogd is listening on the high port
> UDP/51427.    Have not succeeded in what this port is used for and what
> directive controls what interface it binds to.
> 
> [root at bedrock ~]# netstat --listen --inet --program --numeric | grep syslog
> udp  0  0 0.0.0.0:51427  0.0.0.0:*   66655/rsyslogd 

The 51427 is the ephemeral port on the client side of the UDP
session.  You can verify this by running tcpdump to capture traffic
when a syslog message is passed.

I can report that I also see this netstat (and similar with ss) state
for systems with rsyslog set up to send to a remote log server, where
ss reports that the process has UNCONN state on high UDP ports.

I suspect it's part of the UDP handshake that rsyslog uses for sending
syslogs, but I'm not familiar enough with how it works to say
definitively.  Since it's UDP, it's a sessionless protocol, so it's
not strictly LISTENing, but with ss you can see it's UNCONN, which
other daemons that *are* listening for UDP traffic also report.

It is quite interesting to me, and if anyone knows why this works this
way, I'd be happy to hear.  I did some tests with 'nc -u' and I
couldn't get similar results.


-- 
Jonathan Billings <billings at negate.org>