The port is also used to (potentially) send data out to other syslog servers. Therefore, it is left open. This is made ASTOUNDINGLY clear in the manual page, if you would read it:
syslogd opens the above described socket whether or not it is running in secure mode. If syslogd is running in secure mode, all incoming data on this socket is discarded. The socket is required for sending forwarded messages. See that? It says anything read is DISCARDED. This behaviour is not going to be changed. Period. > I remember asking how to stop syslogd opening udp port 514 a while ago > and never doing anything about it, here goes again... > > hopefully a relevant part of /etc/rc > > echo 'starting system logger' > rm -f /dev/log > if [ "X${named_flags}" != X"NO" ]; then > rm -f /var/named/dev/log > syslogd_flags="${syslogd_flags} -a /var/named/dev/log" > fi > if [ -d /var/empty ]; then > rm -f /var/empty/dev/log > mkdir -p -m 0555 /var/empty/dev > syslogd_flags="${syslogd_flags} -a /var/empty/dev/log" > fi > syslogd ${syslogd_flags} > > if [ X"${pf}" != X"NO" -a X"${pflogd_flags}" != X"NO" ]; then > if ifconfig pflog0 >/dev/null 2>&1; then > ifconfig pflog0 up > pflogd ${pflogd_flags} > fi > fi > > my /etc/rc.conf > > syslogd_flags= # add more flags, ie. "-u -a /chroot/dev/log" > > output from command: netstat -p udp -an > > Proto Recv-Q Send-Q Local Address Foreign Address (state) > udp 0 0 *.514 *.* > > reading the man page doesn't really answer why there is program > listening on udp 514, seeing as I haven't passed syslogd the -u switch > > -u Select the historical ``insecure'' mode, in which syslogd will > accept input from the UDP port. Some software wants this, but > you can be subjected to a variety of attacks over the network, > including attackers remotely filling logs. > > can anyone point me in the right direction so this annoying behaviour stops. > also, is there a switch for netstat which shows the pid/process for each > listening port? > > thanks in advance > > poncenby