Syslog Daemons difference (syslogd, rsyslog and syslog-ng)
May 16, 2025 
Depending on the distribution or system you use, you may get a different open source syslog daemon by default. Some prefer the standard syslogd, others go with rsyslog and others install syslog-ng by default. All of them do what you expect, and manage the syslog process and calls within the server.
| Name | Description |
|---|---|
| syslogd | The first one, originally created in the 80's to handle the syslog protocol. It is still the default on OpenBSD. |
| syslog-ng | Created in the late 90's as a robust replacement to to syslogd. Added support for TCP, encryption and many other features. Syslog-ng was the standard and included on Suse, Debian and Fedora for many years. |
| rsyslog: | Created in 2004 as a competitor to syslog-ng, because the default syslog daemon on Ubuntu, RHEL and many other distributions. If you have a common and updated Linux distribution, you are likely using rsyslog. |
Configuration file differences
Each one uses a different configuration file, with their own format and options:
| Name | Location |
|---|---|
| syslogd | etc/syslog.conf |
| syslog-ng | /etc/syslog-ng/syslog-ng.conf |
| rsyslog: | /etc/rsyslog.conf |
Configuration syntax
They have a different configuration file and a different syntax - specially syslog-ng. For example, both rsyslog and syslogd support the original syslog syntax on how to store events to files. It follows a standard way of specifying the facility.level, followed by the file to store:
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info /var/log/authlog
authpriv.debug /var/log/secure
cron.info /var/cron/log
While syslog-ng created their own syntax, which looks like this:
destination d_syslog { file("/var/log/syslog"); };
destination d_auth { file("/var/log/auth.log"); };
In fact, we think the reason why rsyslog became so popular, replacing syslog-ng on all major distributions (as the default choice), is because they picked the original syslogd syntax.
Configuration syntax - remote syslog
To send the logs to a remote syslog server, both rsyslog and syslogd use the same syntax (@IPADDRESS for UDP syslog and @@IPADDRESS for TCP syslog):
*.* @REMOTESYSLOG
While syslog-ng has their own format again:
destination d_syslog_tcp {
syslog("192.168.1.118" transport("tcp") port(514)); };
log { source(s_local);destination(d_syslog_tcp); };
Their code bases are vastly different, but they all handle internal syslog messages, log to files (on /var/log) and allow you to send the logs to a remote syslog server. Syslogd and rsyslog are the most used options, with a similar syntax. However, you will likely be fine with either one of them - unless you have complex syslog needs.
Logging Guides
We love logs. In this section we will share some articles from our team to help you get better at logging.
Trunc Logging
Logging for fun and a good night of sleep.
- Real time search
- Google simple
- Cheap
- Just works
- PCI compliance
Latest Articles
Latest articles from our learning center.
- 2025-06-03Investigating the 'slince_golden' WordPress Backdoor
- 2025-05-30Vulnerability Scanner Logs: WPScan
- 2025-05-29Web Scanning, Development Hygiene, and File Exposure Risks
- 2025-05-29Troubleshooting Remote Syslog with TCPDUMP
- 2025-05-29Logging basics: Syslog protocol in detail
- 2025-05-29Syslog Daemons difference (syslogd, rsyslog and syslog-ng)
Contact us!
Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org
Tired of price gouging
- Clear pricing
- No need to guess
- Real people
- Real logging
Get
Started