We have been noticing some mysterious port binds on our macos setups, where the syslogd process binds to a ephemeral port on UDP. This socket isn't bound from the time syslogd process starts, but something/ some event triggers this bind.
So we investigated further. It appears that one of the macos specific modules in syslogd is the "bsd_out" module which reads the config rules from a file called "/etc/syslog.conf". The contents of that file on my setup are:
cat /etc/syslog.conf
# Note that flat file logs are now configured in /etc/asl.conf
install.* @127.0.0.1:32376
These contents are the default ones shipped in macos and nothing has been edited/changed.
So it appears that the bsd_out module has been configured with a rule to send logs/messages in the "install" facility to be forwarded to some process which has a socket listening on loopback's 32376
port.
Whenever some software gets installed/uninstalled from the machine, it looks like a log message gets generated which falls under this "install" facility and then the bsd_out module binds a socket for UDP and uses that socket to send the data to 127.0.0.1:32376
. You will notice that before installing/uninstalling any software the command:
sudo lsof -p <syslogd-pid>
will not list any UDP port. As soon as you install/uninstall something that socket gets bound and is visible in the output of the above command. The (bound) socket stays around.
The curious part is there's still no one/nothing that listens on that 32376 port. So it appears that this module is sending some datagrams that are just lost and not delivered? Is there a reason why the /etc/syslog.conf has this rule if there's nothing that's receiving that data?
The "man syslogd" page does state that bsd_out module is only there for backward compatibility, so perhaps this config rule in /etc/syslog.conf is just a left over that is no longer relevant?
I'm on macos 13.2.1:
sw_vers
ProductName: macOS
ProductVersion: 13.2.1
BuildVersion: 22D68
but this has been noticed on older version (even 10.15.x) too.
To reproduce, here are the steps:
- Find the pid of syslogd (
ps -aef | grep syslogd
) - Find the resources used by this process including ports (
sudo lsof -p <syslog-pid>
) - At this point, ideally, you shouldn't see any UDP ports being used by this process
- Install/uninstall any software (for example: move to trash and delete any installed application)
- Run the lsof command again (
sudo lsof -p <syslog-pid>
), you will now see that it uses a UDP port bound to INADDR_ANY address and an ephemeral port:
syslogd 12345 root 11u IPv4 0xf557ad678c99264b 0t0 UDP *:56972
- netstat output too will show that port (for example:
netstat -anv -p UDP
)