Depending on the operating system or distribution you use, the default syslog daemon may vary. Common options include syslogd, rsyslog, and syslog-ng. Each serves the same fundamental purpose: managing the syslog process and handling log calls on the server. However, they differ in features, configuration, and syntax.
Key Syslog Daemons Overview
| Name | Description |
|---|---|
| syslogd | The original syslog daemon, developed in the 1980s. It adheres to the basic syslog protocol and remains the default on OpenBSD. |
| syslog-ng | Introduced in the late 1990s as a more robust alternative to syslogd. It supports TCP, encryption, and other advanced features. Historically included with SUSE, Debian, and Fedora. |
| rsyslog | Launched in 2004 as a competitor to syslog-ng. It became the default syslog daemon for distributions like Ubuntu and RHEL. Most modern Linux distributions ship with rsyslog by default. |
Configuration File Locations
Each daemon uses a distinct configuration file, which varies in location and syntax:
| Daemon | Configuration File |
|---|---|
| syslogd | /etc/syslog.conf |
| syslog-ng | /etc/syslog-ng/syslog-ng.conf |
| rsyslog | /etc/rsyslog.conf |
Configuration Syntax
The syntax for configuration files differs among the daemons, particularly for syslog-ng, which diverges from the traditional format.
syslogd and rsyslog Syntax
Both syslogd and rsyslog use the classic syntax, specifying facility.level followed by the destination (e.g., a file):
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
auth.info /var/log/authlog
authpriv.debug /var/log/secure
cron.info /var/cron/log
syslog-ng Syntax
syslog-ng introduced its own configuration style, which is more structured and declarative:
destination d_syslog { file("/var/log/syslog"); };
destination d_auth { file("/var/log/auth.log"); };
Remote Syslog Configuration
To forward logs to a remote syslog server, both syslogd and rsyslog use a simple syntax. Use @IPADDRESS for UDP and @@IPADDRESS for TCP:
*.* @REMOTESYSLOG
In contrast, syslog-ng requires a more explicit configuration:
destination d_syslog_tcp {
syslog("192.168.1.118" transport("tcp") port(514));
};
log { source(s_local); destination(d_syslog_tcp); };
While syslogd and rsyslog share similar syntax and are well-suited for typical use cases, syslog-ng offers a modernized syntax with advanced features for complex logging requirements. The popularity of rsyslog is partly due to its backward compatibility with syslogd’s original syntax, making it an easy transition for most systems.
All three options can handle internal syslog messages, write logs to files (typically under /var/log), and forward logs to remote servers. For most users, rsyslog or syslogd will suffice unless your needs demand the additional flexibility of syslog-ng.