Here’s a weird issue to be aware of. If you are using centralized syslogging on RHEL5/Centos5 servers, you may be surprised to find this in your netstat or lsof:
# netstat -an|grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:* # lsof -iUDP -P -n | grep :514 syslogd 3677 root 10u IPv4 7887 0t0 UDP *:514
Well that’s weird, why is my syslogd listening for public connections? You probably even went as far as to check your syslog config file, and no I’m not talking about the /etc/syslog.conf:
cat /etc/sysconfig/syslog # Options to syslogd # -m 0 disables 'MARK' messages. # -r enables logging from remote machines # -x disables DNS lookups on messages recieved with -r # See syslogd(8) for more details SYSLOGD_OPTIONS="-m 0" # Options to klogd # -2 prints all kernel oops messages twice; once for klogd to decode, and # once for processing with 'ksymoops' # -x disables all klogd processing of oops messages entirely # See klogd(8) for more details KLOGD_OPTIONS="-x" # SYSLOG_UMASK=077 # set this to a umask value to use for all log files as in umask(1). # By default, all permissions are removed for "group" and "other".
Hmm, I don’t see a -r listed in the SYSLOGD_OPTIONS line up there; do you? Based on the man page for syslogd, it should only listen for network connections if it’s started with the -r option.
Turns out this is a ‘feature’ of the syslogd included in RHEL 5 / CentOS 5 where if you choose to enable remote logging in your /etc/syslog.conf, it will, for reasons unknown, decide to start listening on all interfaces for incoming syslog messages. Obviously a ‘bad thing’ if this is a public server. I couldn’t find a way to turn that feature off, so I resorted to firewalling it (don’t forget ipv6!):
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 514 -j DROP ip6tables -A INPUT -p udp -s 0/0 -d 0/0 --dport 514 -j DROP