On Fri, 2018-09-07 at 09:20 -0400, Jonathan Billings wrote: > > [root at bedrock ~]# netstat --listen --inet --program --numeric | > > grep syslog > > udp 0 0 0.0.0.0:51427 0.0.0.0:* 66655/rsyslogd > The 51427 is the ephemeral port on the client side of the UDP > session. You can verify this by running tcpdump to capture traffic > when a syslog message is passed. Thanks, I was suspecting something like this as the only way to make that port disappear was to disable remote logging. > I suspect it's part of the UDP handshake that rsyslog uses for > sending syslogs, but I'm not familiar enough with how it works to say > definitively. It was puzzling because I can't find any reference to this behavior in any documentation. > Since it's UDP, it's a sessionless protocol, so it's > not strictly LISTENing, but with ss you can see it's UNCONN, which > other daemons that *are* listening for UDP traffic also report. Right, distinguishing between the listening and open in UDP is always somewhere between tedious and impossible. Perhaps I should investigate logging over TCP! :) Anyway, I have something to write in the report now. -- Meetings Coordinator, Michigan Association of Railroad Passengers 537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010 E-mail: awilliam at whitemice.org GPG#D95ED383 Web: http://www.marp.org