On Thu, Sep 06, 2018 at 02:06:37PM -0400, Adam Tauno Williams wrote: > > Attempting to lookup why rsyslogd is listening on the high port > UDP/51427. Have not succeeded in what this port is used for and what > directive controls what interface it binds to. > > [root at bedrock ~]# netstat --listen --inet --program --numeric | grep syslog > udp 0 0 0.0.0.0:51427 0.0.0.0:* 66655/rsyslogd The 51427 is the ephemeral port on the client side of the UDP session. You can verify this by running tcpdump to capture traffic when a syslog message is passed. I can report that I also see this netstat (and similar with ss) state for systems with rsyslog set up to send to a remote log server, where ss reports that the process has UNCONN state on high UDP ports. I suspect it's part of the UDP handshake that rsyslog uses for sending syslogs, but I'm not familiar enough with how it works to say definitively. Since it's UDP, it's a sessionless protocol, so it's not strictly LISTENing, but with ss you can see it's UNCONN, which other daemons that *are* listening for UDP traffic also report. It is quite interesting to me, and if anyone knows why this works this way, I'd be happy to hear. I did some tests with 'nc -u' and I couldn't get similar results. -- Jonathan Billings <billings at negate.org>