syslogd - out-of-box bsd_out module sends UDP packets to non-existent destination socket?

Question

Created Feb ’23

Replies 4

Boosts 0

Views 1.2k

Participants 2

We have been noticing some mysterious port binds on our macos setups, where the syslogd process binds to a ephemeral port on UDP. This socket isn't bound from the time syslogd process starts, but something/ some event triggers this bind.

So we investigated further. It appears that one of the macos specific modules in syslogd is the "bsd_out" module which reads the config rules from a file called "/etc/syslog.conf". The contents of that file on my setup are:

 cat /etc/syslog.conf 
# Note that flat file logs are now configured in /etc/asl.conf

install.*						@127.0.0.1:32376

These contents are the default ones shipped in macos and nothing has been edited/changed.

So it appears that the bsd_out module has been configured with a rule to send logs/messages in the "install" facility to be forwarded to some process which has a socket listening on loopback's 32376 port.

Whenever some software gets installed/uninstalled from the machine, it looks like a log message gets generated which falls under this "install" facility and then the bsd_out module binds a socket for UDP and uses that socket to send the data to 127.0.0.1:32376. You will notice that before installing/uninstalling any software the command:

sudo lsof -p <syslogd-pid>

will not list any UDP port. As soon as you install/uninstall something that socket gets bound and is visible in the output of the above command. The (bound) socket stays around.

The curious part is there's still no one/nothing that listens on that 32376 port. So it appears that this module is sending some datagrams that are just lost and not delivered? Is there a reason why the /etc/syslog.conf has this rule if there's nothing that's receiving that data?

The "man syslogd" page does state that bsd_out module is only there for backward compatibility, so perhaps this config rule in /etc/syslog.conf is just a left over that is no longer relevant?

I'm on macos 13.2.1:

sw_vers 
ProductName:		macOS
ProductVersion:		13.2.1
BuildVersion:		22D68

but this has been noticed on older version (even 10.15.x) too.

To reproduce, here are the steps:

Find the pid of syslogd (ps -aef | grep syslogd)
Find the resources used by this process including ports (sudo lsof -p <syslog-pid>)
At this point, ideally, you shouldn't see any UDP ports being used by this process
Install/uninstall any software (for example: move to trash and delete any installed application)
Run the lsof command again (sudo lsof -p <syslog-pid>), you will now see that it uses a UDP port bound to INADDR_ANY address and an ephemeral port:

syslogd 12345 root   11u  IPv4 0xf557ad678c99264b      0t0                 UDP *:56972

netstat output too will show that port (for example: netstat -anv -p UDP)

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’23

This looks like a bug to me, and I encourage you to file it as such.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

jaikiran OP

Feb ’23

Hello Quinn, thank you for taking a look at this. I've now filed FB12016446 with these details and also included a link to this discussion.

On a related note, the feedback issue rendering(?) I think has an issue. Every time I submit some issue, the contents in the "Description" section has all its newlines trimmed. Even the current one I filed has this problem. So it just appears as a wall of text without any newlines. This has now happened for more than one feedback issue that I have submitted. I even provided this feedback on one of the issues, but I haven't seen any response or acknowledgment. Not sure if it's an issue with my browser (Safari) or something else. The first couple of feedback issues that I had filed (around an year back) didn't have this problem.

0

Answer 3

DTS Engineer OP

Apple

Feb ’23

Thanks for filing FB12016446.

Every time I submit some issue, the contents in the "Description" section has all its newlines trimmed.

Yeah, I just tried that myself and I’m having the same problem [1]. The good news is that things get rendered correctly on our side, both in Radar and our internal view of Feedback Assistant. Still, this is annoying and I encourage you to file a bug. Make sure to include screen shots of what the Safari window looked like just before you submitted the bug and how the bug gets rendered in the end.

Once you’re done, I’d appreciate you posting that bug number as well.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Just for my own records, my test bug was FB12019393. However, this was just a test, not an actual bug report against Feedback Assistant.

0

Answer 4

jaikiran OP

Mar ’23

Yeah, I just tried that myself and I’m having the same problem [1]. The good news is that things get rendered correctly on our side, both in Radar and our internal view of Feedback Assistant. Still, this is annoying and I encourage you to file a bug. Make sure to include screen shots of what the Safari window looked like just before you submitted the bug and how the bug gets rendered in the end.

Hello Quinn,

I've now submitted FB12022556 to track this rendering issue. I've attached relevant screenshots to that issue.

0