Rsyslog Listening On High Port
Attempting to lookup why rsyslogd is listening on the high port UDP/51427. Have not succeeded in what this port is used for and what directive controls what interface it binds to.
[root@bedrock ~]# netstat –listen –inet –program –numeric | grep syslog udp
7 thoughts on - Rsyslog Listening On High Port
I don’t think that is really rsyslogd running.. first rsyslogd usually is running with a much lower pid as it starts early on. All the boxes I saw had it running under 1000. If the system is set up to actually listen to the internet it will look like
[root@log01 ~][PROD]# netstat –list –inet –program –numeric | grep rsys tcp 0 0 0.0.0.0:514 0.0.0.0:*
LISTEN 1078/rsyslogd tcp 0 0 0.0.0.0:5000 0.0.0.0:*
LISTEN 1078/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:*
1078/rsyslogd
and those are set in /etc/rsyslogd.conf
[root@log01 ~][PROD]# egrep ‘514|5000’ /etc/rsyslog.conf
$UDPServerRun 514
$InputTCPServerRun 514
$InputTCPServerRun 5000
I would do a ps auxww | grep 66655 and see what is running and then check to see if that binary is what it is supposed to be.
Adam,
You might want to try running:
lsof -i -P | grep LISTEN | grep :51427
to determine what process is actually listening to that port.
—
Mike Burger http://www.bubbanfriends.org
“It’s always suicide-mission this, save-the-planet that. No one ever just stops by to say ‘hi’ anymore.” –Colonel Jack O’Neill, SG1
That is what is strange; lsof does *not* see the port as listening, but it is visible if I search by inode [and it is clearly rsyslogd –
but I cannot find any documentation indicating what this is].
[root@bedrock ~]# netstat –inet –program –numeric –listen | grep syslog udp
because there is no LISTEN in the lsof output for UDP ports.
just execute
lsof -i :51427 -P
should show you the process.
best regards Ulf
The 51427 is the ephemeral port on the client side of the UDP
session. You can verify this by running tcpdump to capture traffic when a syslog message is passed.
I can report that I also see this netstat (and similar with ss) state for systems with rsyslog set up to send to a remote log server, where ss reports that the process has UNCONN state on high UDP ports.
I suspect it’s part of the UDP handshake that rsyslog uses for sending syslogs, but I’m not familiar enough with how it works to say definitively. Since it’s UDP, it’s a sessionless protocol, so it’s not strictly LISTENing, but with ss you can see it’s UNCONN, which other daemons that *are* listening for UDP traffic also report.
It is quite interesting to me, and if anyone knows why this works this way, I’d be happy to hear. I did some tests with ‘nc -u’ and I
couldn’t get similar results.
Thanks, I was suspecting something like this as the only way to make that port disappear was to disable remote logging.
It was puzzling because I can’t find any reference to this behavior in any documentation.
Right, distinguishing between the listening and open in UDP is always somewhere between tedious and impossible. Perhaps I should investigate logging over TCP! :)
Anyway, I have something to write in the report now.
That makes perfect sense. I had checked several boxes on our side and had not found any with that port being shown but we use TCP for logging so I expect that is why. My apologies to Mr Billings for going for the worst possible scenario.