Syslog Daemons difference (syslogd, rsyslog and syslog-ng)

Syslog daemons differences

Depending on the distribution or system you use, you may get a different open source syslog daemon by default. Some prefer the standard syslogd, others go with rsyslog and others install syslog-ng by default. All of them do what you expect, and manage the syslog process and calls within the server.

Name	Description
syslogd	The first one, originally created in the 80's to handle the syslog protocol. It is still the default on OpenBSD.
syslog-ng	Created in the late 90's as a robust replacement to to syslogd. Added support for TCP, encryption and many other features. Syslog-ng was the standard and included on Suse, Debian and Fedora for many years.
rsyslog:	Created in 2004 as a competitor to syslog-ng, because the default syslog daemon on Ubuntu, RHEL and many other distributions. If you have a common and updated Linux distribution, you are likely using rsyslog.

Configuration file differences

Each one uses a different configuration file, with their own format and options:

Name	Location
syslogd	etc/syslog.conf
syslog-ng	/etc/syslog-ng/syslog-ng.conf
rsyslog:	/etc/rsyslog.conf

Configuration syntax

They have a different configuration file and a different syntax - specially syslog-ng. For example, both rsyslog and syslogd support the original syslog syntax on how to store events to files. It follows a standard way of specifying the facility.level, followed by the file to store:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages kern.debug;syslog,user.info /var/log/messages auth.info /var/log/authlog authpriv.debug /var/log/secure cron.info /var/cron/log

While syslog-ng created their own syntax, which looks like this:

destination d_syslog { file("/var/log/syslog"); }; destination d_auth { file("/var/log/auth.log"); };

In fact, we think the reason why rsyslog became so popular, replacing syslog-ng on all major distributions (as the default choice), is because they picked the original syslogd syntax.

Configuration syntax - remote syslog

To send the logs to a remote syslog server, both rsyslog and syslogd use the same syntax (@IPADDRESS for UDP syslog and @@IPADDRESS for TCP syslog):

*.* @REMOTESYSLOG

While syslog-ng has their own format again:

destination d_syslog_tcp { syslog("192.168.1.118" transport("tcp") port(514)); }; log { source(s_local);destination(d_syslog_tcp); };

Their code bases are vastly different, but they all handle internal syslog messages, log to files (on /var/log) and allow you to send the logs to a remote syslog server. Syslogd and rsyslog are the most used options, with a similar syntax. However, you will likely be fine with either one of them - unless you have complex syslog needs.

Posted in log-tutorial syslog-logs by Daniel Cid (@dcid)

Logging Guides

We love logs. In this section we will share some articles from our team to help you get better at logging.

Trunc Logging

Logging for fun and a good night of sleep.

* Real time search
* Google simple
* Cheap
* Just works
* PCI compliance

Latest articles

Latest articles from our learning center.

2024-11-20
Logging basics: Syslog protocol in detail

2024-11-20
Troubleshooting Remote Syslog with TCPDUMP

2024-11-20
A Guide to: NGINX Logs

2024-11-20
Threat Hunting: An Advanced Guide to Log Analysis for Cybersecurity

2024-11-19
Threat Hunting: A Basic Guide to Log Analysis for Cybersecurity

2024-11-14
A Log Guide to: Apache Logs

Contact us!

Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org

Tired of price gouging

Clear pricing. No need to guess. Real people. Real logging.