[CentOS] rsyslog listening on high port

Sat Sep 8 12:44:06 UTC 2018
Adam Tauno Williams <awilliam at whitemice.org>

On Fri, 2018-09-07 at 09:20 -0400, Jonathan Billings wrote:
> > [root at bedrock ~]# netstat --listen --inet --program --numeric |
> > grep syslog
> > udp  0  0*   66655/rsyslogd 
> The 51427 is the ephemeral port on the client side of the UDP
> session.  You can verify this by running tcpdump to capture traffic
> when a syslog message is passed.

Thanks, I was suspecting something like this as the only way to make
that port disappear was to disable remote logging.

> I suspect it's part of the UDP handshake that rsyslog uses for
> sending syslogs, but I'm not familiar enough with how it works to say
> definitively. 

It was puzzling because I can't find any reference to this behavior in
any documentation.

>  Since it's UDP, it's a sessionless protocol, so it's
> not strictly LISTENing, but with ss you can see it's UNCONN, which
> other daemons that *are* listening for UDP traffic also report.

Right, distinguishing between the listening and open in UDP is always
somewhere between tedious and impossible.  Perhaps I should investigate
logging over TCP! :)

Anyway, I have something to write in the report now.

Meetings Coordinator, Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: awilliam at whitemice.org GPG#D95ED383 Web: http://www.marp.org