[CentOS] rsyslog listening on high port

Sat Sep 8 17:55:14 UTC 2018
Stephen John Smoogen <smooge at gmail.com>

On Fri, 7 Sep 2018 at 09:20, Jonathan Billings <billings at negate.org> wrote:
> On Thu, Sep 06, 2018 at 02:06:37PM -0400, Adam Tauno Williams wrote:
> >
> > Attempting to lookup why rsyslogd is listening on the high port
> > UDP/51427.    Have not succeeded in what this port is used for and what
> > directive controls what interface it binds to.
> >
> > [root at bedrock ~]# netstat --listen --inet --program --numeric | grep syslog
> > udp  0  0*   66655/rsyslogd
> The 51427 is the ephemeral port on the client side of the UDP
> session.  You can verify this by running tcpdump to capture traffic
> when a syslog message is passed.

That makes perfect sense. I had checked several boxes on our side and
had not found any with that port being shown but we use TCP for
logging so I expect that is why. My apologies to Mr Billings for going
for the worst possible scenario.

> I can report that I also see this netstat (and similar with ss) state
> for systems with rsyslog set up to send to a remote log server, where
> ss reports that the process has UNCONN state on high UDP ports.
> I suspect it's part of the UDP handshake that rsyslog uses for sending
> syslogs, but I'm not familiar enough with how it works to say
> definitively.  Since it's UDP, it's a sessionless protocol, so it's
> not strictly LISTENing, but with ss you can see it's UNCONN, which
> other daemons that *are* listening for UDP traffic also report.
> It is quite interesting to me, and if anyone knows why this works this
> way, I'd be happy to hear.  I did some tests with 'nc -u' and I
> couldn't get similar results.
> --
> Jonathan Billings <billings at negate.org>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Stephen J Smoogen.