On Fri, 7 Sep 2018 at 09:20, Jonathan Billings <billings at negate.org> wrote: > > On Thu, Sep 06, 2018 at 02:06:37PM -0400, Adam Tauno Williams wrote: > > > > Attempting to lookup why rsyslogd is listening on the high port > > UDP/51427. Have not succeeded in what this port is used for and what > > directive controls what interface it binds to. > > > > [root at bedrock ~]# netstat --listen --inet --program --numeric | grep syslog > > udp 0 0 0.0.0.0:51427 0.0.0.0:* 66655/rsyslogd > > The 51427 is the ephemeral port on the client side of the UDP > session. You can verify this by running tcpdump to capture traffic > when a syslog message is passed. > That makes perfect sense. I had checked several boxes on our side and had not found any with that port being shown but we use TCP for logging so I expect that is why. My apologies to Mr Billings for going for the worst possible scenario. > I can report that I also see this netstat (and similar with ss) state > for systems with rsyslog set up to send to a remote log server, where > ss reports that the process has UNCONN state on high UDP ports. > > I suspect it's part of the UDP handshake that rsyslog uses for sending > syslogs, but I'm not familiar enough with how it works to say > definitively. Since it's UDP, it's a sessionless protocol, so it's > not strictly LISTENing, but with ss you can see it's UNCONN, which > other daemons that *are* listening for UDP traffic also report. > > It is quite interesting to me, and if anyone knows why this works this > way, I'd be happy to hear. I did some tests with 'nc -u' and I > couldn't get similar results. > > > -- > Jonathan Billings <billings at negate.org> > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos -- Stephen J Smoogen.