Watch out for a listening syslogd

Here’s a weird issue to be aware of.  If you are using centralized syslogging on RHEL5/Centos5 servers, you may be surprised to find this in your netstat or lsof:

# netstat -an|grep 514
udp        0      0 0.0.0.0:514                 0.0.0.0:*
# lsof -iUDP -P -n | grep :514
syslogd 3677    root   10u  IPv4      7887      0t0  UDP *:514

Well that’s weird, why is my syslogd listening for public connections?  You probably even went as far as to check your syslog config file, and no I’m not talking about the /etc/syslog.conf:

cat /etc/sysconfig/syslog

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".

Hmm, I don’t see a -r listed in the SYSLOGD_OPTIONS line up there; do you?  Based on the man page for syslogd, it should only listen for network connections if it’s started with the -r option.

Turns out this is a ‘feature’ of the syslogd included in RHEL 5 / CentOS 5 where if you choose to enable remote logging in  your /etc/syslog.conf, it will, for reasons unknown, decide to start listening on all interfaces for incoming syslog messages.  Obviously a ‘bad thing’ if this is a public server.  I couldn’t find a way to turn that feature off, so I resorted to firewalling it (don’t forget ipv6!):

iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 514 -j DROP
ip6tables -A INPUT -p udp -s 0/0 -d 0/0 --dport 514 -j DROP

Leave a Reply

Your email address will not be published.