1. Describe your incident:
Graylog opens on all our instances a UDP port of a random port number. The port is not in LISTEN state and is sometimes a udp6 port and sometime udp (IPv4).
udp 0 0 0.0.0.0:55944 0.0.0.0:* 32535/java
udp6 0 0 :::47218 :::* 130470/java
Because of the PID in front of the “/java” i know that it is graylog since the same PID opens graylogs input ports as well for receiving logs.
2. Describe your environment:
- OS Information:
- Package Version:
Same on Graylog 3.2.5+b0d3334
- Service logs, configurations, and environment variables:
#/etc/default/graylog # Path to the java executable. JAVA=/usr/bin/java GRAYLOG_SERVER_JAVA_OPTS="-Xms24g -Xmx24g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow" GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Djdk.tls.acknowledgeCloseNotify=true" GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -Dlog4j2.formatMsgNoLookups=true" GRAYLOG_SERVER_ARGS="" GRAYLOG_COMMAND_WRAPPER=""
# /etc/graylog/server/server.conf is_master = true node_id_file = /etc/graylog/server/node-id password_secret = ... root_username = ... root_password_sha2 = ... root_email = "..." root_timezone = CET bin_dir = /usr/share/graylog-server/bin data_dir = /var/lib/graylog-server plugin_dir = /usr/share/graylog-server/plugin http_bind_address = 127.0.0.1:9000 http_enable_cors = true http_enable_gzip = true trusted_proxies = 127.0.0.1/32 ring_size = 65536 allow_leading_wildcard_searches = true allow_highlighting = false elasticsearch_hosts = http://127.0.0.1:9200 elasticsearch_max_total_connections = 200 elasticsearch_max_total_connections_per_route = 200 elasticsearch_discovery_enabled = false elasticsearch_shards = 1 elasticsearch_replicas = 0 elasticsearch_analyzer = standard rotation_strategy = time retention_strategy = delete #index_ranges_cleanup_interval = 1h elasticsearch_max_number_of_indices = 7 elasticsearch_index_prefix = graylog elasticsearch_max_time_per_index = 1d inputbuffer_ring_size = 65536 inputbuffer_processors = 8 inputbuffer_wait_strategy = blocking processbuffer_processors = 14 output_batch_size = 10000 output_flush_interval = 1 outputbuffer_processors = 50 outputbuffer_processor_threads_core_pool_size = 30 outputbuffer_processor_threads_max_pool_size = 50 outputbuffer_processor_keep_alive_time = 10000 processor_wait_strategy = blocking output_fault_count_threshold = 5 output_fault_penalty_seconds = 30 message_journal_enabled = true message_journal_dir = /var/lib/graylog-server/journal message_journal_max_age = 24h message_journal_max_size = 128gb message_journal_flush_age = 1s message_journal_flush_interval = 1000 lb_recognition_period_seconds = 3 mongodb_uri = mongodb://127.0.0.1:27017/graylog mongodb_max_connections = 1000 mongodb_threads_allowed_to_block_multiplier = 5 http_connect_timeout = 10s http_read_timeout = 20s http_write_timeout = 20s content_packs_dir = /usr/share/graylog-server/contentpacks content_packs_auto_load = grok-patterns.json proxied_requests_thread_pool_size = 32 enabled_tls_protocols = TLSv1.1,TLSv1.2 # # Custom Plugin # custom_statsd_host = 127.0.0.1 custom_statsd_port = 8125 custom_mongodb_uri = mongodb://127.0.0.1:27017/custom
3. What steps have you already taken to try and solve the problem?
Googled the issue in the context of graylog and java, searched here in the community forum
4. How can the community help?
Since the port is not in LISTEN state connection will be rejected but for the sake of port hygiene I want to know what it is, were it comes from and if I am able to get rid of it or pin it to a specific port to be able to apply firewall rules to it. A not-listening port nobody can connect to is quite useless, I guess.
As well, it is bound to all interfaces. As soon as the LISTEN state changes (I don’t know when or if at all) it would be open to everybody…