A syslog server is a centralized log management system that collects, stores, and manages syslog messages generated by various network devices, servers, applications, and other sources.

It acts as a central repository for log data and provides a platform for analyzing and monitoring system events.

Syslog servers stand as invaluable tools for network administrators, enabling them to consolidate logs from various devices into a central repository for easy monitoring, troubleshooting, and analysis. While there are several premium options available in the market, there’s a notable range of free syslog servers that offer robust features without stretching your budget.

Here’s our list of the best free and paid Syslog servers for Linux and Windows:

  1. SolarWinds Kiwi Syslog Server EDITOR’S CHOICE The top choice for collecting, viewing and archiving syslog messages and SNMP traps. With a variety of filters and real-time monitoring options you can closely monitor your network and also send daily summaries. Free for up to five devices.
  2. ManageEngine Event Log Analyzer (FREE TRIAL) Can be installed on Windows or Linux, operates as a Syslog server and includes a very intuitive and user-friendly dashboard.
  3. Site24x7 Server Monitoring (FREE TRIAL) A network, server, and application monitor that includes a log manager for Syslog and also Windows Events and application log messages. This is a cloud-based service.
  4. FirstWave opEvents (FREE TRIAL) A log file manager that is able to collect log messages from a range of sources, including Syslog. Installs on Linux.
  5. ManageEngine Log360 (FREE TRIAL) A SIEM system that includes a log collector and server that is able to extract Syslog messages from Linux computers. Runs on Windows Server.
  6. Syslog Watcher A free Syslog server for Windows that writes Syslog messages to files or a database and includes record sorting and filtering functions.
  7. The Dude Free network analysis tool with an integrated Syslog server for Windows, Linux, and Mac OS.
  8. Paessler PRTG Network Monitor A comprehensive network, server, and application monitor that includes sensors for Syslog management. The first 100 sensors are free.
  9. Visual Syslog Server Collects Syslog messages and stores them to file as well as displaying them in a dashboard. The program is free and runs on Windows and Windows Server.
  10. NxLog A free Syslog server for Windows, Linux, Unix, and Android.
  11. Logstash A system message monitoring service for Linux that includes the storage of Syslog messages.
  12. TFTPD32 Lightweight, free system message logger for Windows that includes monitoring for Syslog.

Syslog servers by OS

Syslog serverLinuxWindowsOther
Paessler PRTGNoYesYes
Event Log AnalyzerYesYesNo
FirstWave opEventsYesNoNo
ManageEngine Log360NoYesNo
Syslog WatcherNoYesNo
The DudeYesYesYes
Visual Syslog ServerNoYesNo

The Best Syslog Server Tools for Linux and Windows

If you don’t have a budget for tools, or if you don’t think that it is worth spending money just to look at log file messages, then check out our list of free syslog servers. Most review sites will give you a list of the five or 10 best syslog servers, but we have gone the extra mile and found 12 excellent syslog servers that are free to use.

Our methodology for selecting Syslog server tools

We reviewed the market for Syslog servers and analyzed the options based on the following criteria:

  • The ability to receive Syslog messages from any system
  • The option to receive log messages from other systems
  • Logfile consolidation
  • A log file manager
  • A log receiving record
  • Free options or a free trial period for assessment
  • A free tool that offers sufficient utilities or a tool that is worth paying for

Features Comparison Table

Features/Syslog ServersSolarWinds Kiwi Syslog ServerPaessler PRTG Network MonitorManageEngine Event Log AnalyzerSite24x7 Server MonitoringFirstWave opEventsManageEngine Log360Syslog WatcherThe DudeVisual Syslog ServerNxLogLogstashTFTPD32
Real-time MonitoringYesYesYesYesYesYesYesYesYesYesYesNo
Email AlertsYesYesYesYesYesYesYesNoNoYesYesNo
Log ForwardingYesYesYesNoYesYesYesNoYesYesYesNo
Log ArchivingYesYesYesYesYesYesYesNoYesYesYesNo
Log Analysis & ReportingYesYesYesYesYesYesYesNoNoYesYesNo
Multi-Platform SupportNoYesYesYesYesYesNoYesNoYesYesNo
GUI InterfaceYesYesYesYesYesYesYesYesYesNoNoYes

1. SolarWinds Kiwi Syslog Server (FREE DOWNLOAD)

SolarWinds Kiwi Syslog Server Manager

Kiwi is a syslog server utility from SolarWinds. The package costs $295, but there is a free version. You can use the system for free to monitor Syslog messages from up to five devices. The free package would only be suitable for small networks.

Key Features:

  • Collects Syslog messages and SNMP traps
  • Generates log files
  • Log record viewer
  • Free version

Why do we recommend it?

Kiwi Syslog Server Free Edition is a great service because you can get a paid tool for free. Although the paid version has a few more features, the Free Edition is a good Syslog collector that is able to store and also forward Syslog messages as well as other log formats.

The Simple Network Management Protocol is based on the Syslog methodology, so Kiwi can also gather SNMP messages. A device-originated alert message is called an “SNMP Trap.” The Trap is an exception to regular SNMP procedures in which devices’ agents only respond with statuses when queried by a manager program. So, Traps are designed to signify high-risk conditions. The package includes Kiwi Syslog Web Access, which is a Web interface that you host on your own server and gives access to the console of the Syslog server from anywhere through any standard Web browser.

Solarwinds Kiwi Syslog Server Free Edition

Who is it recommended for?

Anyone can use the Kiwi Syslog Server to collect, view, and manage Syslog messages as well as SNMP Traps and Windows Events messages. Collecting log messages and filing them is an important requirement for data protection standards compliance.


  • Offers a freeware version for smaller networks
  • Captures both syslog and SNMP traps, ensuring nothing is missed
  • Interface is easy to use and allows for quick filtering based on application, location, or custom grouping
  • Color-coded warning level helps critical events pop out, and aids in prioritization
  • Affordable for any size network


  • Built for sysadmins, not the best option for home networks or non-technical users

The Kiwi system enables you to write event logs by IP address, date or by message source type. You can get alerts on high traffic conditions sent to your email notifications. However, if you get the paid version there are many more conditions that you can elect to be notified about by email. The Kiwi Syslog Server is only available for Windows. It can be installed on Windows Server 2008 R2, Windows Server 2012, Windows 7 SP1, Windows 8.1, and Windows 10.


Kiwi Syslog Server is the top choice for collecting, viewing and archiving syslog messages and SNMP traps. With a variety of filters and real-time logging windows, you can closely monitor your network and send daily email summaries. The free version is limited to 5 devices, but the full version, at only $295, is far more powerful with actions like sending emails, running programs and sending logs to a database. For both large and small networks, this is a great choice of Syslog server.

Official Site: https://www.solarwinds.com/free-tools/kiwi-free-syslog-server

OS: Windows & Windows Server

If you are tooling up a network management team, you are going to need a lot more than just the Kiwi Syslog Server. In these circumstances, consider the Small Business Network Management Bundle. This gives you the Kiwi Syslog Server plus three more systems management modules. The first of these is the Engineer’s Toolset, which is actually a bundle of more than 60 system management utilities. You also get the Network Topology Mapper and Kiwi CatTools, which manages network device configuration backup. This package runs on Windows Server and you can get it on a 14-day free trial.

SolarWinds Small Business Network Management Bundle Start a 14-day FREE Trial

2. ManageEngine EventLog Analyzer (FREE TRIAL)

ManageEngine EventLog Analyzer

ManageEngine EventLog Analyzer operates as a Syslog server and is free for up to five log sources. The monitoring software can be installed on Windows or Linux, but it can monitor events arising on any operating system. The syslog data can originate in any type of network-connected equipment, including switches, routers, and virtual machines.

Key Features:

  • Syslog log manager
  • Functional dashboard
  • User rights management

Why do we recommend it?

ManageEngine EventLog Analyzer can collect and store many log message formats, not just Syslog. The tool also has deployment options – you can host it on Windows Server or Linux. This tool is more than a log server because it provides a viewer with analysis tools and also implements automated threat hunting as a SIEM service.

You don’t have to put much work into setting up the system thanks to its autodiscovery feature. Syslog is a messaging standard implemented by just about all network-connected devices, so the EventLog Analyzer just needs to listen on the network for all Syslog-compliant messages sent out by the equipment connected to it. Each message contains a header that identifies its origin. That enables the Event Log Analyzer to build up a list of all hardware on the network and list alerts and status reports by IP address/origin.

The ManageEngine dashboard includes a lot of functionality that enables you to specify actions to perform on the collected Syslog data. A typical Syslog server requirement is to write all records to event logs. This action is available, but you can also query records in the dashboards and sort and filter messages. Archived logs can be compressed and encrypted. The encryption enables access rights to be imposed on user accounts, so the visibility of the data in Syslog files can be restricted to just a few network users with admin rights.

ManageEngine Evenrlog Analyzer Syslog Server

Who is it recommended for?

The EventLog Analyzer system is suitable for use by businesses of all sizes. Very small businesses should take up the offer of the Free Edition, which is limited to collecting logs from five sources.


  • Offers a limited freeware version, good for smaller businesses
  • Works seamlessly with other ManageEngine tools, fits well into their environment
  • Can apply bulk actions to log data making it a good fit for enterprises and larger networks
  • Archived logs can be encrypted and have access rights applied to them, helpful in team environments


  • The platform has a large number of features and options which can take time to fully learn and implement

The EventLog Analyzer can also monitor SNMP messages. ManageEngine produces a comprehensive network monitoring system, called OpManager. A Free Edition of this tool is available allowing up to 5 log sources only. You can also download a 30-day free trial of the Premium Edition. For more pricing options, you can contact their sales team.

ManageEngine EventLog Analyzer Download 30-day FREE Trial

3. Site24x7 Server Monitoring (FREE TRIAL)

Site24x7 Server Monitoring

Site24x7 is a cloud-based platform of system monitoring tools. The services are sold in bundles of monitors and management tools and all include the Log Manager.

Key Features:

  • Syslog collector
  • Consolidates Syslog Windows Events, and application logs
  • Log file viewer
  • Log analysis tools

Why do we recommend it?

Site24x7 offers packages of monitors and services on a cloud platform. While monitoring networks and servers, the bundles also includes log collection that consolidates different formats of log messages, including Syslog and Windows Events. The great thing about this package is that you effectively get log management added for free to a full system monitoring package.

The Site24x7 Infrastructure plan is one of those bundles. IT offers networks, server, application, and website monitoring utility as well as the Log Manager. This system is almost entirely based in the Cloud. However, it requires an agent program to be installed on the monitored system. There is a version of the agent for Linux and another for Windows Server. Whichever version gets installed, the system can collect Syslog messages because it is able to gather data across a network.

The agent program uploads data, including Syslog messages, to the Site24x7 server for processing. The server puts all of the log messages that it receives into a common format and then files them. The standardization of message formats allows log messages gathered from different sources to be analyzed together.

The Site24x7 dashboard includes a log file viewer that has a number of data analysis tools built into it. These tools include the ability to search, sort, filter, and group messages.

Site24x7 Server Monitoring Syslog Server

Who is it recommended for?

Any business of any size would benefit from the Site24x7 service. The platform is based on the cloud, so you don’t need to install or maintain any software on your site. This means that even own-run businesses with free staff and no technical expertise can get log management sorted out.


  • One of the best platforms in terms of log visualization
  • Offers numerous templates and configurations that make the platform plug-and-play
  • Operates as a cloud service, lowering infrastructure costs and makes scaling easy
  • Log collector agent is available for both Windows and Linux
  • Pricing is based on data processed and retention rates, making this a viable option for both large and small businesses


  • Site24x7 is a more detailed platform designed for professionals, not the best fit for hobbyists or home users

The Site24x7 Infrastructure plan costs $9 per month when paid annually and it includes a log message processing allowance of 500 MB per month. This allowance can be upgraded for a fee: 10GB at$10 per month, 100GB at $95 per month and 1TB at $900 per month.

Site24x7 Infrastructure is available for a 30-day free trial.

Site24x7 Server Monitoring Start 30-day FREE Trial

4. FirstWave opEvents (FREE TRIAL)

FirstWave opEvents Event by Node Graphs

FirstWave opEvents is a Syslog collector that is also able to collect Windows Events and log messages from applications. The opEvents service will consolidate log messages from all sources by converting them into a common format before storing them in files.

Key Features:

  • Consolidator for Syslog and other log sources
  • Manages log files
  • Data viewer
  • Alerts on log message arrival rate

Why do we recommend it?

FirstWave opEvents is a good option for those who want to run log management on a Linux computer. This system isn’t limited to Syslog because it will collect other formats and merge them all into a common format. This enables the messages to be searched and sorted. The package will also store log messages in files.

The system rotates files and gives them meaningful names, storing them in a logical directory structure so that individual log messages can be located manually. The dashboard for opEvents shows the arrival rate and sources for all messages as they are processed and it is possible to place performance expectation thresholds on this arrival rate. If log messages stop arriving or arrive at a faster or slower rate than expected, the system will raise an alert.

The dashboard also includes a data viewer. You can load in log files and then sort, group, and search through them, creating manual analysis queries. These queries can be stored so they can be applied to other files.

FirstWave Op Events Syslog

Who is it recommended for?

The FirstWave opEvents system is recommended for businesses of all sizes. Small businesses would particularly benefit from this package because they can use it for free while also using the free network monitoring system.


  • Features simple yet informative visualizations of your log events
  • Great user interface – sleek and easy to navigate
  • Offers power log consolidation, great for pulling data from diverse sources
  • Alerts can be configured if events haven’t been pulled at a specified rate
  • Solid alternative to cloud-based solutions


  • Does not offer a cloud version

The FirstWave system is centered on the Network Management Information System (NMIS), which is a free, open-source system. You have to install NMIS first because opEvents is an add-on and not a standalone service. opEvents is free for networks of up to 20 nodes. Both packages install on Linux. It is possible to install it on Windows over an FirstWave hypervisor. The full version of opEvents is a paid service and you can get it on a 30-day free trial.

FirstWave opEvents Start 30-day FREE Trial

5. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 Dashboard

ManageEngine Log360 is a SIEM system that also acts as a log manager – those logs are the source data for the SIEM. This software package installs on Windows Server. However, it is able to collect Syslog messages from computers running Linux. It is also able to collect logs from computers running macOS and Windows. The different log messaging standards produce different message layouts, so the log manager in Log360 converts all of the messages that it receives into a common format.

Key Features:

  • Merges logs from Windows Events and Syslog
  • Gathers logs from software packages
  • Data viewer
  • Log processing statistics

Why do we recommend it?

ManageEngine Log360 is a very large package that includes many of the log-related systems offered by ManageEngine. Among these is the LogEvent Analyzer, which both collects and searches log messages. The system consolidates log messages of different formats, including Syslog and Windows Events.

The log messages can be viewed within the console as they arrive and they are also filed. The data viewer can recall a file for analysis. While manual analysis is possible, the system’s main value is its automated SIEM scanning.

The SIEM service identifies anomalous behavior. In order to do this, the service establishes a framework of normal behavior through the deployment of user and entity behavior analytics (UEBA). Differences from the standard trigger an alert. You can adjust the threshold for alert generation. Alerts can be fed through service desk ticketing systems, including ManageEngine ServiceDesk Plus, Jira, and Kayoko.

ManageEngine Log360 Syslog

Who is it recommended for?

ManageEngine Log360 is a very comprehensive package with many utilities in it. A small business that doesn’t have a dedicated systems administrator would probably find that they just don’t have the time to even set up all of the utilities. So this bundle is a better choice for large organizations that have a team of system management technicians.


  • Gathers logs from more than 700 software packages
  • File integrity monitoring
  • Log management for Windows Events and Syslog
  • Coordinates with service desk tools


  • Not available as a SaaS package

ManageEngine Log360 is available in a Free edition to monitor up to 25 endpoints. The Professional edition is available for a 30-day free trial.

ManageEngine Log360 Start 30-day FREE Trial

6. Syslog Watcher

Syslog Watcher

Syslog Watcher from EZ5 Systems is available for installation on Windows. This is a free Syslog server program with several extra Syslog monitoring features. As just about every device connected to your network sends out Syslog messages, the Syslog server has to work fast if you want it to do more than just collect and write those messages to a file. Syslog Watcher uses a multithreaded architecture, so the Syslog collection of new records isn’t held up by the completion of processing.

Key Features:

  • Collects Syslog messages
  • Writes to files or a database
  • Free to use for home use

Why do we recommend it?

Syslog Watcher is a free Syslog server that runs on Windows. This is a big advantage for companies that have Linux machines and run applications that use the Syslog format but want to centralize all log management on a Windows computer.

The control dashboard gives you options on how to process messages. You aren’t limited to storing them in files because you have the option of writing them to a database. Getting your Syslog messages in a database gives you a lot more power to deal with event records because you can sort, filter, group, and count them. It allows you to combine events to generate customer alert conditions. You can get alert messages sent to you by email through the Syslog Watcher.

Syslog Watcher can monitor messages both over UDP and TCP, and it can operate with both the IPv4 and the IPv6 address systems.

Syslog Watcher syslog

Who is it recommended for?

There is nothing to stop businesses from using the Free Edition of Syslog Watcher. The main problem users of this version might encounter is that it is limited to dealing with three concurrent connections. As many applications generate Syslog messages almost constantly, managing the flow of messages to open and close connections could end up being a complication that isn’t worth the bother when the paid version is available at a low price.


  • Uses multi-threading for faster more efficient log processing
  • Allows you to write logs to a database, good for larger volumes of data that need reviewing
  • Allows monitoring over UDP or TCP, giving your more port options than other tools


  • Interface feels cluttered with a high volume of logs
  • Could use better event visualization features

UPDATE: Syslog Watcher is free for home use. Business users have to pay for the tool. However, EZ5 Systems offers a 30-day money-back guarantee. So, if you want to try it out for free, just use it for a month and then ask for your money back.

7. The Dude

The Dude screenshot

The Dude is a very widely used free network analysis tool that includes Syslog server functions. This app can be installed on any Windows version from Windows 2000 on, all flavors of Linux, and macOS. This tool is produced by MikroTik, a router manufacturer from Latvia.

Key Features:

  • Collects Syslog messages
  • Forwarding and filtering
  • Free to use

Why do we recommend it?

The Dude Syslog server is part of a network monitoring and analysis tool that is free to use. The Syslog server can be used to file or forward Syslog messages. The only problem with this is that the tool doesn’t handle other formats of log messages.

mikrotik The Dude Syslog Server

This system can monitor your network devices and collect Syslog data. It can process SNMP alerts, plus ICMP and DNS traffic. The Dude can monitor TCP traffic as well as UDP. The network monitoring features include autodiscovery and a network topology mapper.

The Syslog functions of The Dude can be accessed from a tab in the interface. The system can operate as a full Syslog server with extra forwarding and filtering capabilities. You can get The Dude just to send all records to a file, or specify rules to divert qualifying messages to other destinations, which might be separate event logs or the console of the system. You can also drop individual records and get the system to beep, flash, or display a popup message for custom alert conditions.

Who is it recommended for?

The Dude runs on Windows, so if you want to gather Syslog messages and file them on your Windows server, this is a good choice. You would need to forward messages to another server in order to consolidate Syslog messages with other log types.


  • Installs on Windows, Linux, and Mac, making this one of the most flexible options for syslog servers
  • Can ingest SNMP alerts, ICMP requests, and DNS queries, giving you a wide variety of log collection options
  • Utilizes autodiscovery for network mapping and device identification
  • Supports log forwarding to other servers or applications


  • Not as lightweight as some other simple syslog servers
  • Interface can be challenging to learn

The Dude performs actions when it detects a given alert condition, including the execution of commands. The Dude can send you an email or make a spoken announcement upon the detection of a custom alert condition.

8. Paessler PRTG Network Monitor

Paessler Syslog Receiver screenshot

Paessler PRTG Network Monitor is a very comprehensive network monitoring system. However, you can use PRTG for free if you have a small network. Paessler charges per “sensor.” A sensor is a condition or status on a network. The company counts Syslog as one sensor, and if you monitor 100 sensors or less, the system is free of charge. So, you will have 99 other network conditions that you can monitor before you have to pay.

Key Features:

  • Syslog collector sensor
  • Wires log records to a database
  • Manages Syslog database
  • Free version with limitations

Why do we recommend it?

Paessler PRTG Network Monitor runs on Windows Server so if you need to collect Syslog messages from other operating systems and store them through your Windows system, this is a great option. The Syslog Receiver Sensor inserts logs into a database and that provides options over how the messages can be used and managed.

You can download the PRTG software from the Paessler website and install it on Windows. There isn’t a version for Linux. However, you can opt to access the software as a cloud service, which is system agnostic.

Paessler PRTG Network Monitor Syslog

The Syslog function in PRTG is called the Syslog Receiver. This sensor will gather all Syslog data traveling around your network and write them to a database. Once the messages are in the database, the subsequent management of those records depends on the settings that you specify for the system. You can get them written to log files, query them in the PRTG dashboard, and trigger actions under certain conditions.

Who is it recommended for?

All businesses need to collect log messages for security monitoring and compliance reporting, so getting this Syslog manager for free is a great option for businesses of all sizes.


  • Allows users to customize sensors to meet their specific needs
  • Free version allows monitoring with up to 100 sensors, great for smaller businesses
  • Offers both on-premise and cloud versions
  • A great choice for companies looking to also monitor other aspects of their business such as networks, applications, or infrastructure


  • Can take time to learn the platform, PRTG is rich with features and designed for enterprise use

PRTG is free if you only activate up to 100 sensors, which is more than enough to access the Syslog server monitors.

9. Visual Syslog Server

Visual Syslog Server screenshot

Visual Syslog Server is a small utility that collects Syslog data and displays them in a viewer. The records can also be written to event logs and rotated by date or file size. This application can be installed on Windows and it is available for free. The software can be installed on Windows XP and above and also on Windows Server 2003, 2008, and 2012.

Key Features:

  • Collector of Syslog messages
  • Data viewer
  • Free to use

Why do we recommend it?

Visual Syslog Server collects Syslog messages, which are usually generated on Linux systems but this tool runs on Windows. So. this is a great tool to get your Syslog messaging over to the Windows operating system and file them. The utility includes a data viewer that lets you filter and sort messages.

In the dashboard, records are color-coded with error messages in red and warnings in yellow. Those colors can be customized. You get real-time views of the messages and you can also load records into the viewer from files.

MaxBelkov Visual Syslog System

Although this utility doesn’t have sophisticated graphics or message processing options, it is lightweight and fast, so it has a market. The viewer presents records and allows you to filter them and sort them. The interface can be set to play a sound when an alert condition is encountered. You can also set the application to send you an email when it encounters an alert or a warning. If your email system supports encryption, Visual Syslog Server will encrypt the notification emails that it sends to you.

Who is it recommended for?

Visual Syslog Server is free to use, so it will appeal to small businesses. You can set it up to provide you with alerts on factors such as throughput level variation or for the arrival of specific message codes.


  • Simple interface – utilizes color to aid in log prioritization
  • Powerful filtering options work quickly and are easy to learn
  • More user friendly than other tools


  • Better suited for smaller networks, features don’t work as well at scale
  • Lacks event visualization
  • Alert notifications are limited

This is a handy, free, ready to use strong Syslog tool that gets the job done.

10. Nxlog

Nxlog screenshot

This review includes Syslog server programs that can be installed on Windows and/or Linux. Nxlog can be installed on either of those operating systems and also on Unix and Android. Whichever operating system you install this system on, it will be able to collect Syslog data from all the others — Unix, Linux, Windows, and Android.

Key Features:

  • Suitable for Windows, Unix, Linux, and Android
  • Multithreaded architecture
  • Free to use

Why do we recommend it?

NXLog is a paid tool but we recommend its free counterpart, which is called the NXLog Community Edition. This service is able to connect Windows Events as well as Syslog. It will consolidate these different log files into a common format. You can set the system to file log messages or forward them to another log processor.

Nxlog is a straightforward message collection system. It can operate over UDP and TCP and it can receive messages protected by TLS encryption. Messages get written to files and can also be stored in databases. In all cases, Nxlog creates a standard record format that unites data from disparate sources. A multithreaded architecture enables this tool to handle hundreds of thousands of messages per second, making it suitable for all sizes of a network.

NXLog Community Edition Syslog

Who is it recommended for?

Any business could use NXLog Community Edition but it does need a little setting up, so very small businesses with no technical skills on site might struggle. Very large companies that require professional support guarantees with their software purchases should consider the NXLog Enterprise Edition.


  • Supports Windows, Unix, Linux, and uniquely Android as well
  • Lightweight application – uses very few resources
  • Multi-threaded architecture enables the tool to process large volumes of data
  • Completely open-source and free


  • Interface is barebones, lacking many features found in similar tools
  • No event visualization

The Nxlog system is open-source and you can use it free of charge. There aren’t any analytical functions in this tool, so if you want to view records or manipulate them in any way, you will need to find a separate front end for analysis. This is a straightforward message collection and logfile creation facility, making it a pure Syslog server.

11. Logstash

Logstash screenshot

Logstash is part of a suite of utilities called “Elastic Stack.” This group of tools is produced by a group of developers whose first product is called Elasticsearch. Elasticsearch is a second element in the Elastic Stack, as is Kibana. The division of labor between these three packages is that Logstash collects log messages, Elasticsearch enables you to sort and filter those messages for analysis, and Kibana interprets and displays the data. All of the Elastic Stack programs run on Linux.

Key Features:

  • Part of the ELK stack
  • Collects from cloud platforms
  • Free to use

Why do we recommend it?

Logstash is a very powerful log processing system and it is part of a suite of tools, called the Elastic Stack, or ELK. Using Logstash, you can collect and consolidate logs in Syslog and Windows Events formats as well as many application logs. This tool can also collect log messages from cloud systems, including AWS, Salesforce, and Twitter.

Kibana makes a great front-end for any of the other Syslog servers in this list. As the event message collection service for the stack, Logstash operates as a Syslog server. The utility listens on the network for messages sent from a wide range of sources. To record a specific stream, you need to install a plug-in for that data type. You can just install the Syslog plug-in, or add in other plug-ins to include other data sources.

Elastic Logstash Syslog

Logstash also gathers data from cloud services including AWS. It can collect data from applications such as Ganglia, Salesforce, Graphite, Kafka, and Twitter. You can set the collection process to include TCP and UDP messages and it can receive messages encrypted with TLS. Logstash can read messages from a file, from a database, pick up SNMP messages, IRC and RSS feeds, and get messages from mail servers.

Who is it recommended for?

Logstash and all of the ELK product offer opportunities to build your own application with ease and there are many commercial adaptations of these tools out on the market. If you don’t know much about technology, the ease of use of these tools makes setting up Syslog collection very easy. Large corporations with technical staff should jump on this package. There is a paid, cloud version of the ELK suite available.


  • Great user interface, highly visual with easy to navigate toolbar
  • Part of the Elastic Stack – leverages a large open-source community
  • Supports gathering information from cloud sources like AWS
  • Uses Elasticsearch for filtering, one of the most flexible search tools available


  • Must install plugins for every data type you collect
  • No paid support option, bugs and issues are resolved by the community

Logstash can filter, divert, and reformat messages during processing. The program stores records in files or inserts them into databases. The utility is written to integrate with Elasticsearch and can send data directly to that application. Similarly, Logstash can be set to output data to Loggly, Nagios, AWS, Graphite, and Graylog. Other plug-ins will notify you of new log data by email or by Slack message. Logstash is available free of charge.

12. TFTPD32/64

TFTPD64 screenshot

TFTPD is a small utility for Windows. The package is available as a 32-bit or a 64-bit application. The central element of this software is a TFTP client implementation. That client can be set to receive network messages from DHCP, DNS, and SNTP servers. It is also able to receive Syslog data.

Key Features:

  • GUI and command line
  • DHCP and DNS server
  • Free to use

Why do we recommend it?

TFTPD is a free utility that runs on Windows and is nominally a client and server for use with the Trivial File Transfer Protocol (TFTP). However, the tool has other utilities built in and one of those is a Syslog server. Although this package includes a log viewer and a setting that will store Syslog messages, it doesn’t collect Windows Events and it can’t perform consolidation.

This is a simple open-source utility that displays messages in the dashboard as they arrive. Buttons over the viewer give you the ability to view messages by type and Syslog is one of the message types that can be featured. You see messages as they travel on their way to event logs and the viewer also names the file that Syslog messages should be stored to. This utility doesn’t give you much functionality for data analysis. However, you can also read in records from a file and then you have the ability to sort and filter messages.

Who is it recommended for?

TFTPD is a handy free utility for a system administrator to have to hand. However, the tool is getting a little dated and there are more powerful free Syslog servers on this list that provide more features.


  • Lightweight alternative to other more modern options
  • Can be used in other capacities since its a TFTP server
  • Available for free


  • No data analysis tools
  • No event visualizations
  • Outdated user interface

TFTPD can work with IPv6 addresses as well as IPv4 addresses. TFTPD32 and TFTPD64 are both available for free.

What you need to know about Syslog Servers and Clients

The concept of a “Syslog server” really refers to an application that deals with syslog messages rather than the provision of a dedicated computer to receive the messages. So, don’t get misdirected by that “server” word in there.

The server/client model is a little difficult to grasp in Syslog terms, too. Usually, the client contacts the server and the server responds. In syslog, the syslog client is just a program that broadcasts error, warning, and debugging messages. The syslog client doesn’t have any direct contact with a counterpart: it sends out the messages whether or not anyone is listening for them. Syslogd is a daemon. This is a Syslog collector and so is judged to be the server, even though it never responds to the originator of the messages. The daemon may be running locally, or it can also be implemented as a remote syslog server by connecting over the internet.

Although the Syslog standard has been codified by the Internet Engineering Taskforce, there are so many implementations of Syslog that some variation in the syslog data message format exists. With all of the different message types you could be benefiting from, you need to get a tool to sort through them all.

The definition of the Syslog standard is freely available to the public but it is not regarded as an “open source project.” This is because “open source” refers to freely available program code, but Syslog is a standard, rather than a program. However, there are open source Syslog server implementations out there.

Syslog and Windows

The Syslog standard was written for Unix and it is also available for Unix-like operating systems, including Linux and Mac OS X. Syslog is also used by many network devices for error reporting. Syslog doesn’t operate on Windows. The Windows operating system has its own log messaging system, called Events.

The division of log systems between Windows and Linux into two separate and incompatible standards shouldn’t cause you a problem. You can unify these log file messages in one central location so security software, such as intrusion detection systems can get a system-wide view of events.

Network equipment will automatically broadcast Syslog messages on the network. That means that any device can pick the messages up. The Syslog standard specified that log messages should be circulated to UDP port 514 or TCP port 1468. The destination of messages on a Linux server is dictated by the syslogd or syslog-ng configuration file. These can be directed to the network on the well-known UDP or TCP port.

Once you have the Syslog messages circulating on the network, software running on Windows can pick them up, so you don’t have to stick to Syslog server software for Linux to collect these important messages. Many excellent Syslog servers are written to run on Windows.

Syslog Messages

Syslog messages can be regarded as the Linux/Unix equivalent of Windows Event Logs. So, you could refer to them as “Syslog events.” They supply the essential information and will support your system administration tasks through:

  • Warnings of equipment failure – which get written to a log file
  • Capacity exhaustion monitoring – through pre-set warning levels which you set yourself
  • Alerts of unexpected events – abnormal activity may indicate compromised user accounts
  • Network intrusion detection – spot unauthorized devices and access to unexpected locations on the internet

The records in your syslog files are written there because the producers of your software and devices judged certain events to be of significance, so it is a mistake to ignore this rich source of system activity and status information. So download a Syslog collector and activate it.

Syslog Port Numbers

Syslog operates over UDP, so expect activity on UDP port 514 of your network devices. This is caused by all of those Syslog event messages circulating around your network. UDP port 514 is used by Syslog clients to send messages and also by Syslog servers to listen for messages. Therefore it is both the source and destination port on all standard Syslog communications. Don’t close it. Be suspicious of activity on TCP port 514. This is a port known to be used by the ADM worm and it is not used for Syslog.

There are secure Syslog implementations. A secure Syslog service needs to establish a connection, you cannot use a UDP port for them. The secure version of Syslog is known as Syslog over TLS and it uses TCP port 6514. If you want to operate a remote Syslog server connecting to a network across the internet, you need to go the Syslog over TLS route because unencrypted Syslog events being sent over the internet would seriously undermine your network security.

Choosing Syslog server software

As you can see from the description of the tools in our list, you can choose a straightforward Syslog server, or opt for an analytical tool or a network monitoring system that incorporates Syslog server functions.

Beyond the basic functions of transferring Syslog messages to files, you can look for the capabilities to sort and filter messages. The ability to vary processing according to message types and drop debug messages and information notifications is useful. A programmer might need to see those debug messages, and so the ability to selectively direct message types to a viewer, a log file, or to a database can be very useful.

The evolution of Syslog processing to store records in a database rather than a file offers you great power. It is far easier to index, sort, search, and filter records in a database than it is to manipulate file records. This is because databases include a structured query language that enables you to isolate fields in records and perform selection, grouping, and exclusion functions on data without altering the original stored records.

Another useful advancement in the Syslog servers available today is a system that can collect messages generated by other platforms and protocols, such as the Windows event logger. If your Syslog server can create standardized record formats, that takes you another step further along the route to collect important information about your system.

Getting alerts created for the conditions reported by Syslog will also give you extra power to focus your energy on essential tasks. The ability to create your own alert conditions represents an advancement in Syslog processing. Sometimes, the contents of a message might not create concern. However, a sudden surge in the frequency of such messages should become an alert and you can specify such conditions in many of the Syslog servers listed in this full review. The ability to combine a count of message types or error conditions is another useful feature that many modern Syslog servers include.

A Syslog server embedded in a network centralized management tool can provide excellent analysis capabilities. If you already have all the analytical tools you need, then you would be better off focusing on the vanilla Syslog server tools in this review. However, if you have very little budget for system management software and you don’t currently have any analytical tools, then go for a free system management utility that includes a Syslog server to keep control of your IT infrastructure.

Managing IT services requires proper tools. Take a look at the free software recommended in this full review that fits your operating system. Our Editor’s choice is an excellent place to start and the SolarWinds Kiwi Syslog Server is a comprehensive logging tool. Take a little time to play around with each tool so you can discover their features for yourself. Given that all of these tools are free, you have nothing to lose but the time it takes to learn them.

Syslog Server FAQs

How do I access my Syslog server?

The access method for a Syslog server depends on your operating system and the specific Syslog server that you chose to install. On Linux, the Syslog server is more likely to be a command line utility. If you have a Linux flavor with a graphical interface, such as Ubuntu, you might be able to have a GUI Syslog server package.

GUI interfaces are very common for Windows-based Syslog servers. In these cases, the installer may well have created a shortcut icon on your Desktop. If you don’t see it there, click on the Start menu button and search through that list of available programs.

How do I create a Syslog server?

Syslog is a Linux utility, so it is better to create a Syslog server on a Linux machine:

  1. Install syslog-ng, which you can get from here. On Debian, you don’t need to download the utility. Instead type at the command line:
    apt-get install syslog-ng

    On RHEL, enter:

    yum install syslog-ng
  2. Locate /etc/syslog-ng/syslog-ng.conf and make a backup of it then edit it. Alter the configuration settings so the options look like:
    options {(off);
  3. Create a listener with the flowing line in the configuration file:
    source s_net {
    tcp((ip( port(1000) max-connections 5000)); udp ();
  4. Set up a destination for the syslog messages. You can actually set up redirections for each source of message to different log file names. Here is an example line:
    d_net_syslog { file("/var/log/syslog/remote/$HOSTNAME/syslog.log"); };
  5. Save the configuration file.

Those are the basic steps to start collecting Syslog messages and storing them to a file. You can get more sophisticated by adding in filters to direct messages to different files or add in explanations of each recorded event.

What is the default Syslog facility level?

The default Syslog facility level is Local4

How do I memorize Syslog levels?

The Syslog levels are:

  • Emergency (0)
  • Alert (1)
  • Critical (2)
  • Error (3)
  • Warning (4)
  • Notifications (5)
  • Information (6)
  • Debug (7)

Create a mnemonic to remember these. Take the first letter of each level type and make a memorable phrase with words that start with the same first letters. So, E, A, C, E, W, N, I, and D won’t make a meaningful word, but create a sentence that you can’t forget easily, put your name in there if it starts with one of those letters. Put in swear words, too so you will remember the phrase, but then make sure you don’t recite it out loud.

What is a Syslog server?

A Syslog server receives files sent by Syslog clients or sends out files in response to requests. The files are formatted following a protocol called Syslog, which defines the fields in each log message.