Syslog daemons differences

Depending on the distribution or system you use, you may get a different open source syslog daemon by default. Some prefer the standard syslogd, others go with rsyslog and others install syslog-ng by default. All of them do what you expect, and manage the syslog process and calls within the server.

Name Description
syslogd The first one, originally created in the 80's to handle the syslog protocol. It is still the default on OpenBSD.
syslog-ng Created in the late 90's as a robust replacement to to syslogd. Added support for TCP, encryption and many other features. Syslog-ng was the standard and included on Suse, Debian and Fedora for many years.
rsyslog: Created in 2004 as a competitor to syslog-ng, because the default syslog daemon on Ubuntu, RHEL and many other distributions. If you have a common and updated Linux distribution, you are likely using rsyslog.

Configuration file differences

Each one uses a different configuration file, with their own format and options:

Name Location
syslogd etc/syslog.conf
syslog-ng /etc/syslog-ng/syslog-ng.conf
rsyslog: /etc/rsyslog.conf

Configuration syntax

They have a different configuration file and a different syntax - specially syslog-ng. For example, both rsyslog and syslogd support the original syslog syntax on how to store events to files. It follows a standard way of specifying the facility.level, followed by the file to store:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog, /var/log/messages /var/log/authlog
authpriv.debug /var/log/secure /var/cron/log

While syslog-ng created their own syntax, which looks like this:

destination d_syslog { file("/var/log/syslog"); };
destination d_auth { file("/var/log/auth.log"); };

In fact, we think the reason why rsyslog became so popular, replacing syslog-ng on all major distributions (as the default choice), is because they picked the original syslogd syntax.

Configuration syntax - remote syslog

To send the logs to a remote syslog server, both rsyslog and syslogd use the same syntax (@IPADDRESS for UDP syslog and @@IPADDRESS for TCP syslog):


While syslog-ng has their own format again:

destination d_syslog_tcp {
syslog("" transport("tcp") port(514)); };
log { source(s_local);destination(d_syslog_tcp); };

Their code bases are vastly different, but they all handle internal syslog messages, log to files (on /var/log) and allow you to send the logs to a remote syslog server. Syslogd and rsyslog are the most used options, with a similar syntax. However, you will likely be fine with either one of them - unless you have complex syslog needs.

Posted in   log-tutorial   syslog-logs     by Daniel Cid (@dcid)

Simple, affordable, log management and analysis.