Best free syslog servers for Linux and Windows

Syslog is a universal standard for system messages. It was originally implemented by a Unix utility, called Syslogd, but now it is used by a wide range of IT equipment, so just about every piece of computing kit that you buy will be able to send Syslog messages.

You can direct these messages to different log files according to the message severity level. But if you plan to make the most of the information, that data really should be processed or at least read.

To qualify as a Syslog server, a tool must be able to collect system messages written according to the Syslog protocol and store them. Syslog forwarding capabilities are handy, as is the ability to rotate logs — that means creating new files periodically.

Here’s our list of the best Syslog server tools for Linux and Windows:

  1. SolarWinds Kiwi Syslog Server EDITOR’S CHOICE The top choice for collecting, viewing and archiving syslog messages and SNMP traps. With a variety of filters and real-time monitoring options you can closely monitor your network and also send daily summaries. Free for up to five devices.
  2. Paessler PRTG Network Monitor (FREE TRIAL) A comprehensive network, server, and application monitor that includes sensors for Syslog management. The first 100 sensors are free.
  3. Loggly (FREE TRIAL) Cloud-based log analyzer that uploads all of your log data to its servers. This service is for a fee, but there is a free Lite package.
  4. ManageEngine Event Log Analyzer (FREE TRIAL) Can be installed on Windows or Linux, operates as a Syslog server and includes a very intuitive and user-friendly dashboard.
  5. Site24x7 Server Monitoring (FREE TRIAL) A network, server, and application monitor that includes a log manager for Syslog and also Windows Events and application log messages. This is a cloud-based service.
  6. FirstWave opEvents (FREE TRIAL) A log file manager that is able to collect log messages from a range of sources, including Syslog. Installs on Linux.
  7. ManageEngine Log360 (FREE TRIAL) A SIEM system that includes a log collector and server that is able to extract Syslog messages from Linux computers. Runs on Windows Server.
  8. Progress WS_FTP Server This FTP server is able to manage the receipt of Syslog messages. The tool will run on Windows Server.
  9. Syslog Watcher A free Syslog server for Windows that writes Syslog messages to files or a database and includes record sorting and filtering functions.
  10. Fastvue Syslog Free Syslog server for Windows Server 2012 R2 and later. As well as writing messages to log files it will create checksum validation files that are protected by SHA-256 encryption.
  11. The Dude Free network analysis tool with an integrated Syslog server for Windows, Linux, and Mac OS.
  12. Nagios Log Server Integrated into Nagios XI (paid) and Nagios Core (free) for Windows and Linux. The free version is limited to a data throughput of 500 MB per day.
  13. Icinga 2 Free network monitoring system for Linux with an integrated Syslog server.
  14. Visual Syslog Server Collects Syslog messages and stores them to file as well as displaying them in a dashboard. The program is free and runs on Windows and Windows Server.
  15. Syslog-NG A free Syslog server for Linux that also collects Windows events over a network.
  16. NxLog A free Syslog server for Windows, Linux, Unix, and Android.
  17. Logstash A system message monitoring service for Linux that includes the storage of Syslog messages.
  18. Graylog A log management system for Linux that is free to use with log message data volumes of up to 5 GB per day.
  19. TFTPD32 Lightweight, free system message logger for Windows that includes monitoring for Syslog.

Syslog servers by OS

Syslog serverLinuxWindowsOther
KiwiNoYesNo
LogglyYesYesYes
Event Log AnalyzerYesYesNo
Site24x7NoYesNo
Opmantek opEventsYesNoNo
ManageEngine Log360NoYesNo
Paessler PRTGNoYesYes
Progress WS_FTP ServerNoYesNo
Syslog WatcherNoYesNo
Fastvue SyslogNoYesNo
The DudeYesYesYes
Nagios Log ServerYesYesNo
Icinga 2YesNoNo
Visual Syslog ServerNoYesNo
Syslog-NGYesNoNo
NxlogYesYesYes
LogstashYesNoNo
GraylogYesNoNo
TFTPD32NoYesNo

The Best Syslog Server Tools for Linux and Windows

If you don’t have a budget for tools, or if you don’t think that it is worth spending money just to look at log file messages, then check out our list of free syslog servers. Most review sites will give you a list of the five or 10 best syslog servers, but we have gone the extra mile and found 18 excellent syslog servers that are free to use.

Our methodology for selecting Syslog server tools

We reviewed the market for Syslog servers and analyzed the options based on the following criteria:

  • The ability to receive Syslog messages from any system
  • The option to receive log messages from other systems
  • Logfile consolidation
  • A log file manager
  • A log receiving record
  • Free options or a free trial period for assessment
  • A free tool that offers sufficient utilities or a tool that is worth paying for

1. SolarWinds Kiwi Syslog Server (FREE DOWNLOAD)

Kiwi screenshot

Kiwi is a syslog server utility from SolarWinds. The package costs $295, but there is a free version. You can use the system for free to monitor Syslog messages from up to five devices. The free package would only be suitable for small networks.

Key Features:

  • Collects Syslog messages and SNMP traps
  • Generates log files
  • Log record viewer
  • Free version

Why do we recommend it?

Kiwi Syslog Server Free Edition is a great service because you can get a paid tool for free. Although the paid version has a few more features, the Free Edition is a good Syslog collector that is able to store and also forward Syslog messages as well as other log formats.

The Simple Network Management Protocol is based on the Syslog methodology, so Kiwi can also gather SNMP messages. A device-originated alert message is called an “SNMP Trap.” The Trap is an exception to regular SNMP procedures in which devices’ agents only respond with statuses when queried by a manager program. So, Traps are designed to signify high-risk conditions. The package includes Kiwi Syslog Web Access, which is a Web interface that you host on your own server and gives access to the console of the Syslog server from anywhere through any standard Web browser.

Who is it recommended for?

Anyone can use the Kiwi Syslog Server to collect, view, and manage Syslog messages as well as SNMP Traps and Windows Events messages. Collecting log messages and filing them is an important requirement for data protection standards compliance.

Pros:

  • Offers a freeware version for smaller networks
  • Captures both syslog and SNMP traps, ensuring nothing is missed
  • Interface is easy to use and allows for quick filtering based on application, location, or custom grouping
  • Color-coded warning level helps critical events pop out, and aids in prioritization
  • Affordable for any size network

Cons:

  • Built for sysadmins, not the best option for home networks or non-technical users

The Kiwi system enables you to write event logs by IP address, date or by message source type. You can get alerts on high traffic conditions sent to your email notifications. However, if you get the paid version there are many more conditions that you can elect to be notified about by email. The Kiwi Syslog Server is only available for Windows. It can be installed on Windows Server 2008 R2, Windows Server 2012, Windows 7 SP1, Windows 8.1, and Windows 10.

EDITOR'S CHOICE

Kiwi Syslog Server is the top choice for collecting, viewing and archiving syslog messages and SNMP traps. With a variety of filters and real-time logging windows, you can closely monitor your network and send daily email summaries. The free version is limited to 5 devices, but the full version, at only $295, is far more powerful with actions like sending emails, running programs and sending logs to a database. For both large and small networks, this is a great choice of Syslog server.

Get 30 Day Free Trial: www.solarwinds.com/free-tools/kiwi-free-syslog-server/

OS: Windows & Windows Server

2. Paessler PRTG Network Monitor (FREE TRIAL)

Paessler Syslog Receiver screenshot

Paessler PRTG Network Monitor is a very comprehensive network monitoring system. However, you can use PRTG for free if you have a small network. Paessler charges per “sensor.” A sensor is a condition or status on a network. The company counts Syslog as one sensor, and if you monitor 100 sensors or less, the system is free of charge. So, you will have 99 other network conditions that you can monitor before you have to pay.

Key Features:

  • Syslog collector sensor
  • Wires log records to a database
  • Manages Syslog database
  • Free version with limitations

Why do we recommend it?

Paessler PRTG Network Monitor runs on Windows Server so if you need to collect Syslog messages from other operating systems and store them through your Windows system, this is a great option. The Syslog Receiver Sensor inserts logs into a database and that provides options over how the messages can be used and managed.

You can download the PRTG software from the Paessler website and install it on Windows. There isn’t a version for Linux. However, you can opt to access the software as a cloud service, which is system agnostic.

The Syslog function in PRTG is called the Syslog Receiver. This sensor will gather all Syslog data traveling around your network and write them to a database. Once the messages are in the database, the subsequent management of those records depends on the settings that you specify for the system. You can get them written to log files, query them in the PRTG dashboard, and trigger actions under certain conditions.

Who is it recommended for?

All businesses need to collect log messages for security monitoring and compliance reporting, so getting this Syslog manager for free is a great option for businesses of all sizes.

Pros:

  • Allows users to customize sensors to meet their specific needs
  • Free version allows monitoring with up to 100 sensors, great for smaller businesses
  • Offers both on-premise and cloud versions
  • A great choice for companies looking to also monitor other aspects of their business such as networks, applications, or infrastructure

Cons:

  • Can take time to learn the platform, PRTG is rich with features and designed for enterprise use

PRTG is free if you only activate up to 100 sensors, which is more than enough to access the Syslog server monitors. You can download a 30-day free trial.

Paessler PRTG Start 30-day FREE Trial

3. Loggly (FREE TRIAL)

Loggly events

Loggly is a Cloud-based log consolidator and analyzer. As such, you don’t need to install any software on your premises, you just need to set up automated file transfer procedures to get your logs uploaded to the Loggly server.

Key Features:

  • Cloud-based log consolidator
  • Standardizes log messages from different sources

Why do we recommend it?

Loggly is a collector and consolidator for a long list of log message formats, including Syslog. The tool can receive log messages from your endpoints and also from cloud services. It puts them into a common format, provides a viewer that has analysis tools, and files them.

The Loggly system retains your Syslog messages in a standardized format. It will also accept logs from Amazon Web Services (AWS), Docker, Logstash, and a host of other log capture systems. All of these records get adapted so that the information in them can be accessed in a unified manner. Once your logs are in the Loggly system, you will be able to analyze them using the log analysis tools in the online service.

A big advantage of using Loggly is that you get storage space included in the deal. You need to back up all of your log files on a different site from your site to make sure that a proactive hacker doesn’t get into your system and remove all records of his activities. So you are going to need to look for a Cloud storage solution in any case. Signing up for the Loggly service gives you a bounce through to archiving your logs, while making the data available for analysis.

The length of time that your log data is available in the Loggly system depends on which of the four packages you sign up for. The Lite package is permanently free, but it only retains data for seven days and allows you only one user account. The Standard pack allows you transfers of one GB of data per day and will retain your records for a month. The Pro Loggly service has a variable pricing method. It allows you a data transfer allowance of between three and twenty GB per day with a retention period of between fifteen and ninety days. The top package is called Enterprise and this is tailored to the customer by the sales team.

Who is it recommended for?

Loggly is a top-quality service and its cloud location makes it a good choice for multi-site businesses and hybrid systems that need to blend and store the logs from many different systems.

Pros:

  • Lives in the cloud, allowing syslog servers to scale regardless of onsite infrastructure
  • Setup is easy, no lengthy onboarding process
  • Can pull logs from cloud platforms such as AWS, Docker, etc
  • Data is immediately available for review and analysis
  • Offers a completely free version with limited retention

Cons:

  • Would like to see a longer trial

All services are charged for by subscription and you can choose to pay either annually or monthly. You can try a paid account of Loggly on a 14-day free trial – you don’t need to give any payment details when you sign up for the trial. Your account will simply be reduced to the Lite package if you choose not to upgrade to the paid service at the end of the fourteen days.

Loggly Log Management Download 14-day FREE Trial

4. ManageEngine EventLog Analyzer (FREE TRIAL)

ManageEngine EventLog Analyzer

ManageEngine EventLog Analyzer operates as a Syslog server and is free for up to five log sources. The monitoring software can be installed on Windows or Linux, but it can monitor events arising on any operating system. The syslog data can originate in any type of network-connected equipment, including switches, routers, and virtual machines.

Key Features:

  • Syslog log manager
  • Functional dashboard
  • User rights management

Why do we recommend it?

ManageEngine EventLog Analyzer can collect and store many log message formats, not just Syslog. The tool also has deployment options – you can host it on Windows Server or Linux. This tool is more than a log server because it provides a viewer with analysis tools and also implements automated threat hunting as a SIEM service.

You don’t have to put much work into setting up the system thanks to its autodiscovery feature. Syslog is a messaging standard implemented by just about all network-connected devices, so the EventLog Analyzer just needs to listen on the network for all Syslog-compliant messages sent out by the equipment connected to it. Each message contains a header that identifies its origin. That enables the Event Log Analyzer to build up a list of all hardware on the network and list alerts and status reports by IP address/origin.

The ManageEngine dashboard includes a lot of functionality that enables you to specify actions to perform on the collected Syslog data. A typical Syslog server requirement is to write all records to event logs. This action is available, but you can also query records in the dashboards and sort and filter messages. Archived logs can be compressed and encrypted. The encryption enables access rights to be imposed on user accounts, so the visibility of the data in Syslog files can be restricted to just a few network users with admin rights.

Who is it recommended for?

The EventLog Analyzer system is suitable for use by businesses of all sizes. Very small businesses should take up the offer of the Free Edition, which is limited to collecting logs from five sources.

Pros:

  • Offers a limited freeware version, good for smaller businesses
  • Works seamlessly with other ManageEngine tools, fits well into their environment
  • Can apply bulk actions to log data making it a good fit for enterprises and larger networks
  • Archived logs can be encrypted and have access rights applied to them, helpful in team environments

Cons:

  • The platform has a large number of features and options which can take time to fully learn and implement

The EventLog Analyzer can also monitor SNMP messages. ManageEngine produces a comprehensive network monitoring system, called OpManager. A Free Edition of this tool is available allowing up to 5 log sources only. You can also download a 30-day free trial of the Premium Edition. For more pricing options, you can contact their sales team.

ManageEngine EventLog Analyzer Download 30-day FREE Trial

5. Site24x7 Server Monitoring (FREE TRIAL)

Site24x7 Server Monitoring

Site24x7 is a cloud-based platform of system monitoring tools. The services are sold in bundles of monitors and management tools and all include the Log Manager.

Key Features:

  • Syslog collector
  • Consolidates Syslog Windows Events, and application logs
  • Log file viewer
  • Log analysis tools

Why do we recommend it?

Site24x7 offers packages of monitors and services on a cloud platform. While monitoring networks and servers, the bundles also includes log collection that consolidates different formats of log messages, including Syslog and Windows Events. The great thing about this package is that you effectively get log management added for free to a full system monitoring package.

The Site24x7 Infrastructure plan is one of those bundles. IT offers networks, server, application, and website monitoring utility as well as the Log Manager. This system is almost entirely based in the Cloud. However, it requires an agent program to be installed on the monitored system. There is a version of the agent for Linux and another for Windows Server. Whichever version gets installed, the system can collect Syslog messages because it is able to gather data across a network.

The agent program uploads data, including Syslog messages, to the Site24x7 server for processing. The server puts all of the log messages that it receives into a common format and then files them. The standardization of message formats allows log messages gathered from different sources to be analyzed together.

The Site24x7 dashboard includes a log file viewer that has a number of data analysis tools built into it. These tools include the ability to search, sort, filter, and group messages.

Who is it recommended for?

Any business of any size would benefit from the Site24x7 service. The platform is based on the cloud, so you don’t need to install or maintain any software on your site. This means that even own-run businesses with free staff and no technical expertise can get log management sorted out.

Pros:

  • One of the best platforms in terms of log visualization
  • Offers numerous templates and configurations that make the platform plug-and-play
  • Operates as a cloud service, lowering infrastructure costs and makes scaling easy
  • Log collector agent is available for both Windows and Linux
  • Pricing is based on data processed and retention rates, making this a viable option for both large and small businesses

Cons:

  • Site24x7 is a more detailed platform designed for professionals, not the best fit for hobbyists or home users

The Site24x7 Infrastructure plan costs $9 per month when paid annually and it includes a log message processing allowance of 500 MB per month. This allowance can be upgraded for a fee: 10GB at$10 per month, 100GB at $95 per month and 1TB at $900 per month.

Site24x7 Infrastructure is available for a 30-day free trial.

Site24x7 Server Monitoring Start 30-day FREE Trial

6. FirstWave opEvents (FREE TRIAL)

FirstWave opEvents Event by Node Graphs

FirstWave opEvents is a Syslog collector that is also able to collect Windows Events and log messages from applications. The opEvents service will consolidate log messages from all sources by converting them into a common format before storing them in files.

Key Features:

  • Consolidator for Syslog and other log sources
  • Manages log files
  • Data viewer
  • Alerts on log message arrival rate

Why do we recommend it?

FirstWave opEvents is a good option for those who want to run log management on a Linux computer. This system isn’t limited to Syslog because it will collect other formats and merge them all into a common format. This enables the messages to be searched and sorted. The package will also store log messages in files.

The system rotates files and gives them meaningful names, storing them in a logical directory structure so that individual log messages can be located manually. The dashboard for opEvents shows the arrival rate and sources for all messages as they are processed and it is possible to place performance expectation thresholds on this arrival rate. If log messages stop arriving or arrive at a faster or slower rate than expected, the system will raise an alert.

The dashboard also includes a data viewer. You can load in log files and then sort, group, and search through them, creating manual analysis queries. These queries can be stored so they can be applied to other files.

Who is it recommended for?

The FirstWave opEvents system is recommended for businesses of all sizes. Small businesses would particularly benefit from this package because they can use it for free while also using the free network monitoring system.

Pros:

  • Features simple yet informative visualizations of your log events
  • Great user interface – sleek and easy to navigate
  • Offers power log consolidation, great for pulling data from diverse sources
  • Alerts can be configured if events haven’t been pulled at a specified rate
  • Solid alternative to cloud-based solutions

Cons:

  • Does not offer a cloud version

The FirstWave system is centered on the Network Management Information System (NMIS), which is a free, open-source system. You have to install NMIS first because opEvents is an add-on and not a standalone service. opEvents is free for networks of up to 20 nodes. Both packages install on Linux. It is possible to install it on Windows over an FirstWave hypervisor. The full version of opEvents is a paid service and you can get it on a 30-day free trial.

FirstWave opEvents Start 30-day FREE Trial

7. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 Dashboard

ManageEngine Log360 is a SIEM system that also acts as a log manager – those logs are the source data for the SIEM. This software package installs on Windows Server. However, it is able to collect Syslog messages from computers running Linux. It is also able to collect logs from computers running macOS and Windows. The different log messaging standards produce different message layouts, so the log manager in Log360 converts all of the messages that it receives into a common format.

Key Features:

  • Merges logs from Windows Events and Syslog
  • Gathers logs from software packages
  • Data viewer
  • Log processing statistics

Why do we recommend it?

ManageEngine Log360 is a very large package that includes many of the log-related systems offered by ManageEngine. Among these is the LogEvent Analyzer, which both collects and searches log messages. The system consolidates log messages of different formats, including Syslog and Windows Events.

The log messages can be viewed within the console as they arrive and they are also filed. The data viewer can recall a file for analysis. While manual analysis is possible, the system’s main value is its automated SIEM scanning.

The SIEM service identifies anomalous behavior. In order to do this, the service establishes a framework of normal behavior through the deployment of user and entity behavior analytics (UEBA). Differences from the standard trigger an alert. You can adjust the threshold for alert generation. Alerts can be fed through service desk ticketing systems, including ManageEngine ServiceDesk Plus, Jira, and Kayoko.

Who is it recommended for?

ManageEngine Log360 is a very comprehensive package with many utilities in it. A small business that doesn’t have a dedicated systems administrator would probably find that they just don’t have the time to even set up all of the utilities. So this bundle is a better choice for large organizations that have a team of system management technicians.

Pros:

  • Gathers logs from more than 700 software packages
  • File integrity monitoring
  • Log management for Windows Events and Syslog
  • Coordinates with service desk tools

Cons:

  • Not available as a SaaS package

ManageEngine Log360 is available in a Free edition to monitor up to 25 endpoints. The Professional edition is available for a 30-day free trial.

ManageEngine Log360 Start 30-day FREE Trial

8. Progress WS_FTP Server

Progress WS_FTP Server

Progress WS_FTP Server is a secure FTP server that has Syslog capabilities. The tool was originally developed by Ipswitch, which became part of Progress Software Corporation in 2019. The tool was first released in 1993, so it is very stable. The WS_FTP system has a graphical user interface, which makes it very easy to use.

Key Features:

  • Collects and files Syslog messages
  • Secure file transfers
  • Suitable for inter-site transfers
  • Protects transfers with SFTP, FTPS, HTTPS, and SCP

Why do we recommend it?

Progress WS_FTP Server is a multi-purpose secure file server that has an integrated Syslog handler. This tool offers value for money because it can also be used for other business file transfer and management tasks. Login details for user access within the tool can be tied into your Active Directory implementation.

The WS_FTP system is not dedicated to managing Syslog messages. Therefore, it is useful for a range of file and data transfer tasks that your business might require. The tool can also be used for receiving Windows Event messages. However, the package does not include a log message consolidator.

For processing Syslog files, the WS_FTP system would need to be integrated into a workflow that could receive the Syslog messages and then process them into rotated logfiles, held in a meaningfully named directory structure. This orchestration can be managed by a sister product, called MOVEit Automation.

The general-purpose nature of the tool means that it can be deployed for many applications, which provides greater flexibility than a tool that is dedicated to processing Syslog messages.

Who is it recommended for?

As there are many free secure FTP servers available, small businesses would probably prefer other options on this list. WS_STP Server is suitable for use by large organizations.

Pros:

  • A flexible FTP server that can be used for many different tasks
  • Syslog capabilities
  • Data processing automation by association with MOVEit Automation

Cons:

  • No log consolidator

Progress offers WS_FTP in three editions: Basic, Secure, and PRemium. Each edition is available in different plans. The WS_FTP Secure edition would be appropriate for use as a Syslog server. Progress doesn’t publish its prices for the WS_FTP system, however, you can download and use the software on a 30-day free trial.

9. Syslog Watcher

Syslog Watcher

Syslog Watcher from EZ5 Systems is available for installation on Windows. This is a free Syslog server program with several extra Syslog monitoring features. As just about every device connected to your network sends out Syslog messages, the Syslog server has to work fast if you want it to do more than just collect and write those messages to a file. Syslog Watcher uses a multithreaded architecture, so the Syslog collection of new records isn’t held up by the completion of processing.

Key Features:

  • Collects Syslog messages
  • Writes to files or a database
  • Free to use for home use

Why do we recommend it?

Syslog Watcher is a free Syslog server that runs on Windows. This is a big advantage for companies that have Linux machines and run applications that use the Syslog format but want to centralize all log management on a Windows computer.

The control dashboard gives you options on how to process messages. You aren’t limited to storing them in files because you have the option of writing them to a database. Getting your Syslog messages in a database gives you a lot more power to deal with event records because you can sort, filter, group, and count them. It allows you to combine events to generate customer alert conditions. You can get alert messages sent to you by email through the Syslog Watcher.

Syslog Watcher can monitor messages both over UDP and TCP, and it can operate with both the IPv4 and the IPv6 address systems.

Who is it recommended for?

There is nothing to stop businesses from using the Free Edition of Syslog Watcher. The main problem users of this version might encounter is that it is limited to dealing with three concurrent connections. As many applications generate Syslog messages almost constantly, managing the flow of messages to open and close connections could end up being a complication that isn’t worth the bother when the paid version is available at a low price.

Pros:

  • Uses multi-threading for faster more efficient log processing
  • Allows you to write logs to a database, good for larger volumes of data that need reviewing
  • Allows monitoring over UDP or TCP, giving your more port options than other tools

Cons:

  • Interface feels cluttered with a high volume of logs
  • Could use better event visualization features

UPDATE: Syslog Watcher is free for home use. Business users have to pay for the tool. However, EZ5 Systems offers a 30-day money-back guarantee. So, if you want to try it out for free, just use it for a month and then ask for your money back.

10. Fastvue Syslog

Fastvue Syslog screenshot

Fastvue specializes in system message reporting tools. One of its products is a free Syslog server utility. This software can be installed on Windows Server 2008 R2 and later versions of the Windows Server operating system.

Key Features:

  • Collects and stores Syslog messages
  • Manages log file directories
  • Free to use

Why do we recommend it?

Fastview Syslog is a very sophisticated tool that is surprisingly free. The only problem with this tool is that it only collects Syslog messages. Most businesses will need to manage many formats of log messages and merge them into a common format. In this case, you can use the forwarding mechanism in Fastvue and consolidate logs through some other utility.

The Syslog system collects incoming messages and writes them to event logs. That takes care of your basic Syslog server functionality. The dashboard of the Fastvue tool examines all of your archived files and gives you a report on each file’s size. Files are collated by date and each gets partnered by a verification file that stores a SHA-256 hash count. Keeping an eye on this information tells you whether a log file has been interfered with. This is a crucial function for intrusion detection because hackers will amend log files to hide their presence.

Fastvue Syslog compiles separate log files for each reporting device/IP address, so you end up with directories of files per device address. Each file contains a day’s worth of Syslog data messages originating from the device that the directory shadows.

Who is it recommended for?

If you only use Linux systems and don’t need to collect Windows Events, then you will really want to get this tool. The log file management services in this package include archiving, which is a very useful space saver. The tool also provides a message viewer and a console that displays throughput statistics.

Pros:

  • Simple easy to use interface
  • Reports on file size, helping avoid any massive bulky log archives
  • Supports file integrity and encryption, ensuring data is not tampered with

Cons:

  • Lacks visualization features
  • Not the best option if you need log analysis features builtin

This Syslog server focuses on creating and monitoring files of Syslog messages rather than making those records available for analysis. If you need a console to analyze records, you will need to import the log files into another application.

11. The Dude

The Dude screenshot

The Dude is a very widely used free network analysis tool that includes Syslog server functions. This app can be installed on any Windows version from Windows 2000 on, all flavors of Linux, and macOS. This tool is produced by MikroTik, a router manufacturer from Latvia.

Key Features:

  • Collects Syslog messages
  • Forwarding and filtering
  • Free to use

Why do we recommend it?

The Dude Syslog server is part of a network monitoring and analysis tool that is free to use. The Syslog server can be used to file or forward Syslog messages. The only problem with this is that the tool doesn’t handle other formats of log messages.

This system can monitor your network devices and collect Syslog data. It can process SNMP alerts, plus ICMP and DNS traffic. The Dude can monitor TCP traffic as well as UDP. The network monitoring features include autodiscovery and a network topology mapper.

The Syslog functions of The Dude can be accessed from a tab in the interface. The system can operate as a full Syslog server with extra forwarding and filtering capabilities. You can get The Dude just to send all records to a file, or specify rules to divert qualifying messages to other destinations, which might be separate event logs or the console of the system. You can also drop individual records and get the system to beep, flash, or display a popup message for custom alert conditions.

Who is it recommended for?

The Dude runs on Windows, so if you want to gather Syslog messages and file them on your Windows server, this is a good choice. You would need to forward messages to another server in order to consolidate Syslog messages with other log types.

Pros:

  • Installs on Windows, Linux, and Mac, making this one of the most flexible options for syslog servers
  • Can ingest SNMP alerts, ICMP requests, and DNS queries, giving you a wide variety of log collection options
  • Utilizes autodiscovery for network mapping and device identification
  • Supports log forwarding to other servers or applications

Cons:

  • Not as lightweight as some other simple syslog servers
  • Interface can be challenging to learn

The Dude performs actions when it detects a given alert condition, including the execution of commands. The Dude can send you an email or make a spoken announcement upon the detection of a custom alert condition.

12. Nagios Log Server

Nagios Log Server

Nagios is based on an open-source project. The ability to download the source code for the system means you can use it for free. However, there are limits to the free version of Nagios. You can only use the system for free up to 500 MB of data throughput per day. The Nagios software can be installed on Windows and Linux.

Key Features:

  • Collects Windows Events and Syslog messages
  • Manages log files
  • Free version

Why do we recommend it?

Nagios is a well-established brand and the Nagios Log Server is typical of the high standard of performance this producer creates. This isn’t a free tool and it is a standalone product, so you don’t have to be a user of the Nagios system monitoring tools in order to use it. The log server is able to collect Windows Events and application logs. The server will consolidate and file log messages and it also has a viewer with analysis tools.

The log server can gather information on Windows events, Linux syslogs, and network device syslogs. The application consolidates log messages in one central location. You can nominate physical servers to store event logs, distribute storage over a cluster of servers, even duplicate files in different locations to create backups.

The console allows you to view live streams of log messages and access previously-stored Syslog data. The interface includes sorting and filtering functions to help you analyze messages. You can specify alert conditions, which may be made up of a combination of statuses or designated as an alert on the frequency of specific message types coming in. The customization capabilities of Nagios even extend to the dashboard. It is possible to populate the dashboard with prioritized features, including message lists. Other elements you can place on the dashboard include data visualization tools, such as graphs, histograms, and charts.

Who is it recommended for?

The price of the Nagios Log server is very high, so only large organizations are likely to opt for this tool. The first 500 MB of data processing per day is free. However, this is a very low volume that would only be viable for very small companies.

Pros:

  • Open-source free version available
  • Supports built-in event visualization
  • Offers multi-platform log collection on Linux and Windows systems
  • Offers a live view into event collection as it happens
  • Dashboard is highly customizable – good option for teams

Cons:

  • Not as lightweight as some other simple syslog servers
  • Support isn’t as reliable as paid options
  • Bug fixes in open-source environments are left to the community

13. Icinga 2

Icinga Event Log screenshot

Icinga started as a fork of Nagios. Since its inception in 2009, this package has diverged from its predecessor. The latest version of the software is called Icinga 2 and it can be installed on Linux. The package comes in two parts. The Core system is the data processor and the latest version of this software is called Icinga 2. The backend can interface with a range of data management applications, including Graphite and InfluxDB. The Icinga team also produces its own front end, called Web 2.0, which is available from the Icinga website in a separate download.

Key Features:

  • Part of a system monitor
  • Collects Syslog messages
  • Free to use

Why do we recommend it?

Icinga 2 is a very extensive system monitor that is free to use. In addition to monitoring your servers and networks, the tool will collect and file log messages. The service doesn’t just collect Syslog messages, it can also collect Windows Events. The Icinga system can be expanded by plug-ins and there are log processing extensions available. The service has its own Web interface by you can choose to channel results through to another data interpretation and display system, such as Kibana.

Icinga 2 is a comprehensive network monitoring tool and one of its functions is a logging feature. You can set the logging source to Syslog data. Optionally, the logger can be set just to collect Syslog messages of a specific severity levell. It won’t limit message collection to just the nominated severity but will record all messages with the given severity, plus those with higher severity levels. The progression of message types is “debug,” “notice,” “information,” “warning,” and “critical.” The default level is “warning,” so if you just point the logger to Syslog without specifying a minimum severity level, it will pick up all warning and critical messages.

If you look at the Icinga website for a price, you won’t find one because this network monitoring tool is completely free.

Who is it recommended for?

Any business would benefit from the use of Icinga 2 for system monitoring and for log management. The tool is very powerful and flexible. However, in order to get the best out of this system, you need to study how it works and how it can be adapted. An active user community can help educate you.

Pros:

  • Can customize the priority level on inbound logs
  • Allows developers to integrate the tool into other data-ingesting applications, such as a SIEM
  • Is completely free

Cons:

  • Antiquated interface, hard to use and cluttered

14. Visual Syslog Server

Visual Syslog Server screenshot

Visual Syslog Server is a small utility that collects Syslog data and displays them in a viewer. The records can also be written to event logs and rotated by date or file size. This application can be installed on Windows and it is available for free. The software can be installed on Windows XP and above and also on Windows Server 2003, 2008, and 2012.

Key Features:

  • Collector of Syslog messages
  • Data viewer
  • Free to use

Why do we recommend it?

Visual Syslog Server collects Syslog messages, which are usually generated on Linux systems but this tool runs on Windows. So. this is a great tool to get your Syslog messaging over to the Windows operating system and file them. The utility includes a data viewer that lets you filter and sort messages.

In the dashboard, records are color-coded with error messages in red and warnings in yellow. Those colors can be customized. You get real-time views of the messages and you can also load records into the viewer from files.

Although this utility doesn’t have sophisticated graphics or message processing options, it is lightweight and fast, so it has a market. The viewer presents records and allows you to filter them and sort them. The interface can be set to play a sound when an alert condition is encountered. You can also set the application to send you an email when it encounters an alert or a warning. If your email system supports encryption, Visual Syslog Server will encrypt the notification emails that it sends to you.

Who is it recommended for?

Visual Syslog Server is free to use, so it will appeal to small businesses. You can set it up to provide you with alerts on factors such as throughput level variation or for the arrival of specific message codes.

Pros:

  • Simple interface – utilizes color to aid in log prioritization
  • Powerful filtering options work quickly and are easy to learn
  • More user friendly than other tools

Cons:

  • Better suited for smaller networks, features don’t work as well at scale
  • Lacks event visualization
  • Alert notifications are limited

This is a handy, free, ready to use strong Syslog tool that gets the job done.

15. Syslog-NG

Syslog-ng screenshot

Syslog-NG is an open-source package that is free to use. The software for Syslog-NG can only be installed on Linux. However, the log management system can collect Windows event data as well as standard Linux, Unix, and device firmware-generated Syslog messages.

Key Features:

  • Forwards messages
  • Writes to database
  • Free to use

Why do we recommend it?

Syslog-NG is a free, open source system, which is a major plus. However, the tool is only able to collect Syslog messages, so you would have to forward it to another tool in order to merge all of the log types generated by your system. A good option is to use this tool to insert log records into a database.

The Syslog-NG system will collect all Syslog (and Windows events) messages from the devices connected to your network, recording the source IP address. The default destination for those records is to event logs. However, you can also forward Syslog messages to other applications or insert them into an SQL database. Syslog-NG is a pure Syslog server in that it just deals with capturing Syslog messages. Syslog-NG reorganizes system messages arriving in different formats so they are stored in the same layout.

Other Syslog servers on this list can analyze data from the messages. Some Syslog servers have attractive dashboards with data visualization features. You don’t get any of that with Syslog-NG. If you want to get more functionality to process your Syslog messages, you will need to add on a data analysis tool.

Who is it recommended for?

Syslog-NG is a good tool for people with technical knowledge that like to put together their own, customized log management package. You would need to get a third-party tool to display messages if you just stick with Syslog-NG for log processing.

Pros:

  • Completely free and open source
  • Can collect data on Linux, Unix, and Windows, a good flexible option for networks running multiple operating systems
  • Supports data forwarding into a database format, great for long-term archiving

Cons:

  • Interface is cluttered, hard to navigate
  • System monitor visualization could be improved
  • Doesn’t support data analysis

16. Nxlog

Nxlog screenshot

This review includes Syslog server programs that can be installed on Windows and/or Linux. Nxlog can be installed on either of those operating systems and also on Unix and Android. Whichever operating system you install this system on, it will be able to collect Syslog data from all the others — Unix, Linux, Windows, and Android.

Key Features:

  • Suitable for Windows, Unix, Linux, and Android
  • Multithreaded architecture
  • Free to use

Why do we recommend it?

NXLog is a paid tool but we recommend its free counterpart, which is called the NXLog Community Edition. This service is able to connect Windows Events as well as Syslog. It will consolidate these different log files into a common format. You can set the system to file log messages or forward them to another log processor.

Nxlog is a straightforward message collection system. It can operate over UDP and TCP and it can receive messages protected by TLS encryption. Messages get written to files and can also be stored in databases. In all cases, Nxlog creates a standard record format that unites data from disparate sources. A multithreaded architecture enables this tool to handle hundreds of thousands of messages per second, making it suitable for all sizes of a network.

Who is it recommended for?

Any business could use NXLog Community Edition but it does need a little setting up, so very small businesses with no technical skills on site might struggle. Very large companies that require professional support guarantees with their software purchases should consider the NXLog Enterprise Edition.

Pros:

  • Supports Windows, Unix, Linux, and uniquely Android as well
  • Lightweight application – uses very few resources
  • Multi-threaded architecture enables the tool to process large volumes of data
  • Completely open-source and free

Cons:

  • Interface is barebones, lacking many features found in similar tools
  • No event visualization

The Nxlog system is open-source and you can use it free of charge. There aren’t any analytical functions in this tool, so if you want to view records or manipulate them in any way, you will need to find a separate front end for analysis. This is a straightforward message collection and logfile creation facility, making it a pure Syslog server.

17. Logstash

Logstash screenshot

Logstash is part of a suite of utilities called “Elastic Stack.” This group of tools is produced by a group of developers whose first product is called Elasticsearch. Elasticsearch is a second element in the Elastic Stack, as is Kibana. The division of labor between these three packages is that Logstash collects log messages, Elasticsearch enables you to sort and filter those messages for analysis, and Kibana interprets and displays the data. All of the Elastic Stack programs run on Linux.

Key Features:

  • Part of the ELK stack
  • Collects from cloud platforms
  • Free to use

Why do we recommend it?

Logstash is a very powerful log processing system and it is part of a suite of tools, called the Elastic Stack, or ELK. Using Logstash, you can collect and consolidate logs in Syslog and Windows Events formats as well as many application logs. This tool can also collect log messages from cloud systems, including AWS, Salesforce, and Twitter.

Kibana makes a great front-end for any of the other Syslog servers in this list. As the event message collection service for the stack, Logstash operates as a Syslog server. The utility listens on the network for messages sent from a wide range of sources. To record a specific stream, you need to install a plug-in for that data type. You can just install the Syslog plug-in, or add in other plug-ins to include other data sources.

Logstash also gathers data from cloud services including AWS. It can collect data from applications such as Ganglia, Salesforce, Graphite, Kafka, and Twitter. You can set the collection process to include TCP and UDP messages and it can receive messages encrypted with TLS. Logstash can read messages from a file, from a database, pick up SNMP messages, IRC and RSS feeds, and get messages from mail servers.

Who is it recommended for?

Logstash and all of the ELK product offer opportunities to build your own application with ease and there are many commercial adaptations of these tools out on the market. If you don’t know much about technology, the ease of use of these tools makes setting up Syslog collection very easy. Large corporations with technical staff should jump on this package. There is a paid, cloud version of the ELK suite available.

Pros:

  • Great user interface, highly visual with easy to navigate toolbar
  • Part of the Elastic Stack – leverages a large open-source community
  • Supports gathering information from cloud sources like AWS
  • Uses Elasticsearch for filtering, one of the most flexible search tools available

Cons:

  • Must install plugins for every data type you collect
  • No paid support option, bugs and issues are resolved by the community

Logstash can filter, divert, and reformat messages during processing. The program stores records in files or inserts them into databases. The utility is written to integrate with Elasticsearch and can send data directly to that application. Similarly, Logstash can be set to output data to Loggly, Nagios, AWS, Graphite, and Graylog. Other plug-ins will notify you of new log data by email or by Slack message. Logstash is available free of charge.

18. Graylog

Graylog screenshot

Graylog is a log management system available for Linux. This is a sophisticated Syslog data analysis tool. However, you can just take advantage of its message collection and storage capabilities to use it as a pure Syslog server. Graylog is free for data volumes of 5 GB or less per day. Owners of small networks won’t have to pay anything to use it. The data analysis functions don’t generate extra data throughput. You don’t get any support with the free version of Graylog. However, a community forum on the Graylog website is filled with tips and tricks from other users.

Key Features:

  • Runs on Linux
  • Active user community
  • Free to use

Why do we recommend it?

Graylog was originally a free service but now its creators are branching out into paid services. You can still get this log processing package for free if you look for the Community Edition, which is called Graylog Open. This tool only runs on Linux and the paid version has a module that collects Windows Events. You can get Windows Events into Graylog Open, but you would need a third-party collector and forwarder to do that.

Graylog sits on top of Virtual Machine software. This underlying system in Linux includes the rsyslog facility. It is rsyslog that will perform your Syslog message gathering and storage functions. You can manage rsyslog through the Graylog interface. If you pay for Graylog, you can also gather data through the Sidecar system. This allows you to store event logs on Windows computers.

The front-end for Graylog is browser-based. This will display inputs by type, so you will be able to see your Syslog messages together in one section of the dashboard. You can customize the dashboard, so if you set the system to gather messages from several sources, you don’t have to show the information from other sources on the same page as your Syslog messages. Widgets available for the dashboard include data visualization, such as histograms.

The dashboard enables you to create your own alert conditions. You specify each alert based on a data stream type. For example, you can pick the Syslog UDP stream and then set up an alert condition on the number of warning messages that come through. System settings enable you to get alerts sent to you as email notifications. Stream handling procedures enable you to parse records, forward them, or store them to file or database.

Who is it recommended for?

Graylog has a great reputation. However, it is annoying that the free version doesn’t automatically receive Windows Events. So, large enterprises would be better off paying for a paid package of Graylog and smaller businesses without a budget for log management should probably look at some of the other free tools on this list.

Pros:

  • Open-source tool with large community
  • Free for users who use less than 5GB of data per day, making it a good option for smaller growing businesses
  • Browser-based dashboard allows users to track their logs from anywhere

Cons:

  • Has a steeper learning curve than other products
  • Requires more time to learn the platform that other tools

19. TFTPD32/64

TFTPD64 screenshot

TFTPD is a small utility for Windows. The package is available as a 32-bit or a 64-bit application. The central element of this software is a TFTP client implementation. That client can be set to receive network messages from DHCP, DNS, and SNTP servers. It is also able to receive Syslog data.

Key Features:

  • GUI and command line
  • DHCP and DNS server
  • Free to use

Why do we recommend it?

TFTPD is a free utility that runs on Windows and is nominally a client and server for use with the Trivial File Transfer Protocol (TFTP). However, the tool has other utilities built in and one of those is a Syslog server. Although this package includes a log viewer and a setting that will store Syslog messages, it doesn’t collect Windows Events and it can’t perform consolidation.

This is a simple open-source utility that displays messages in the dashboard as they arrive. Buttons over the viewer give you the ability to view messages by type and Syslog is one of the message types that can be featured. You see messages as they travel on their way to event logs and the viewer also names the file that Syslog messages should be stored to. This utility doesn’t give you much functionality for data analysis. However, you can also read in records from a file and then you have the ability to sort and filter messages.

Who is it recommended for?

TFTPD is a handy free utility for a system administrator to have to hand. However, the tool is getting a little dated and there are more powerful free Syslog servers on this list that provide more features.

Pros:

  • Lightweight alternative to other more modern options
  • Can be used in other capacities since its a TFTP server
  • Available for free

Cons:

  • No data analysis tools
  • No event visualizations
  • Outdated user interface

TFTPD can work with IPv6 addresses as well as IPv4 addresses. TFTPD32 and TFTPD64 are both available for free.

What you need to know about Syslog Servers and Clients

The concept of a “Syslog server” really refers to an application that deals with syslog messages rather than the provision of a dedicated computer to receive the messages. So, don’t get misdirected by that “server” word in there.

The server/client model is a little difficult to grasp in Syslog terms, too. Usually, the client contacts the server and the server responds. In syslog, the syslog client is just a program that broadcasts error, warning, and debugging messages. The syslog client doesn’t have any direct contact with a counterpart: it sends out the messages whether or not anyone is listening for them. Syslogd is a daemon. This is a Syslog collector and so is judged to be the server, even though it never responds to the originator of the messages. The daemon may be running locally, or it can also be implemented as a remote syslog server by connecting over the internet.

Although the Syslog standard has been codified by the Internet Engineering Taskforce, there are so many implementations of Syslog that some variation in the syslog data message format exists. With all of the different message types you could be benefiting from, you need to get a tool to sort through them all.

The definition of the Syslog standard is freely available to the public but it is not regarded as an “open source project.” This is because “open source” refers to freely available program code, but Syslog is a standard, rather than a program. However, there are open source Syslog server implementations out there.

Syslog and Windows

The Syslog standard was written for Unix and it is also available for Unix-like operating systems, including Linux and Mac OS X. Syslog is also used by many network devices for error reporting. Syslog doesn’t operate on Windows. The Windows operating system has its own log messaging system, called Events.

The division of log systems between Windows and Linux into two separate and incompatible standards shouldn’t cause you a problem. You can unify these log file messages in one central location so security software, such as intrusion detection systems can get a system-wide view of events.

Network equipment will automatically broadcast Syslog messages on the network. That means that any device can pick the messages up. The Syslog standard specified that log messages should be circulated to UDP port 514 or TCP port 1468. The destination of messages on a Linux server is dictated by the syslogd or syslog-ng configuration file. These can be directed to the network on the well-known UDP or TCP port.

Once you have the Syslog messages circulating on the network, software running on Windows can pick them up, so you don’t have to stick to Syslog server software for Linux to collect these important messages. Many excellent Syslog servers are written to run on Windows.

Syslog Messages

Syslog messages can be regarded as the Linux/Unix equivalent of Windows Event Logs. So, you could refer to them as “Syslog events.” They supply the essential information and will support your system administration tasks through:

  • Warnings of equipment failure – which get written to a log file
  • Capacity exhaustion monitoring – through pre-set warning levels which you set yourself
  • Alerts of unexpected events – abnormal activity may indicate compromised user accounts
  • Network intrusion detection – spot unauthorized devices and access to unexpected locations on the internet

The records in your syslog files are written there because the producers of your software and devices judged certain events to be of significance, so it is a mistake to ignore this rich source of system activity and status information. So download a Syslog collector and activate it.

Syslog Port Numbers

Syslog operates over UDP, so expect activity on UDP port 514 of your network devices. This is caused by all of those Syslog event messages circulating around your network. UDP port 514 is used by Syslog clients to send messages and also by Syslog servers to listen for messages. Therefore it is both the source and destination port on all standard Syslog communications. Don’t close it. Be suspicious of activity on TCP port 514. This is a port known to be used by the ADM worm and it is not used for Syslog.

There are secure Syslog implementations. A secure Syslog service needs to establish a connection, you cannot use a UDP port for them. The secure version of Syslog is known as Syslog over TLS and it uses TCP port 6514. If you want to operate a remote Syslog server connecting to a network across the internet, you need to go the Syslog over TLS route because unencrypted Syslog events being sent over the internet would seriously undermine your network security.

Choosing Syslog server software

As you can see from the description of the tools in our list, you can choose a straightforward Syslog server, or opt for an analytical tool or a network monitoring system that incorporates Syslog server functions.

Beyond the basic functions of transferring Syslog messages to files, you can look for the capabilities to sort and filter messages. The ability to vary processing according to message types and drop debug messages and information notifications is useful. A programmer might need to see those debug messages, and so the ability to selectively direct message types to a viewer, a log file, or to a database can be very useful.

The evolution of Syslog processing to store records in a database rather than a file offers you great power. It is far easier to index, sort, search, and filter records in a database than it is to manipulate file records. This is because databases include a structured query language that enables you to isolate fields in records and perform selection, grouping, and exclusion functions on data without altering the original stored records.

Another useful advancement in the Syslog servers available today is a system that can collect messages generated by other platforms and protocols, such as the Windows event logger. If your Syslog server can create standardized record formats, that takes you another step further along the route to collect important information about your system.

Getting alerts created for the conditions reported by Syslog will also give you extra power to focus your energy on essential tasks. The ability to create your own alert conditions represents an advancement in Syslog processing. Sometimes, the contents of a message might not create concern. However, a sudden surge in the frequency of such messages should become an alert and you can specify such conditions in many of the Syslog servers listed in this full review. The ability to combine a count of message types or error conditions is another useful feature that many modern Syslog servers include.

A Syslog server embedded in a network centralized management tool can provide excellent analysis capabilities. If you already have all the analytical tools you need, then you would be better off focusing on the vanilla Syslog server tools in this review. However, if you have very little budget for system management software and you don’t currently have any analytical tools, then go for a free system management utility that includes a Syslog server to keep control of your IT infrastructure.

Managing IT services requires proper tools. Take a look at the free software recommended in this full review that fits your operating system. Our Editor’s choice is an excellent place to start and the SolarWinds Kiwi Syslog Server is a comprehensive logging tool. Take a little time to play around with each tool so you can discover their features for yourself. Given that all of these tools are free, you have nothing to lose but the time it takes to learn them.

Syslog Server FAQs

How do I access my Syslog server?

The access method for a Syslog server depends on your operating system and the specific Syslog server that you chose to install. On Linux, the Syslog server is more likely to be a command line utility. If you have a Linux flavor with a graphical interface, such as Ubuntu, you might be able to have a GUI Syslog server package. 

GUI interfaces are very common for Windows-based Syslog servers. In these cases, the installer may well have created a shortcut icon on your Desktop. If you don’t see it there, click on the Start menu button and search through that list of available programs.

How do I create a Syslog server?

Syslog is a Linux utility, so it is better to create a Syslog server on a Linux machine:

  1. Install syslog-ng, which you can get from here. On Debian, you don’t need to download the utility. Instead type at the command line: 
    apt-get install syslog-ng

    On RHEL, enter:

    yum install syslog-ng
  2. Locate /etc/syslog-ng/syslog-ng.conf and make a backup of it then edit it. Alter the configuration settings so the options look like: 
    options {(off);
flush_lines(10);
use_dns(persist_only);
use_fqdn(no);
owner("root");
group("adm");
perm(0640);
stats_freq(0);
bad_hostname("^gconfd$");
normalize_hostnames(yes);
keep_hostname(yes);
};
  3. Create a listener with the flowing line in the configuration file: 
    source s_net {
tcp((ip(127.0.0.1) port(1000) max-connections 5000)); udp ();
};
  4. Set up a destination for the syslog messages. You can actually set up redirections for each source of message to different log file names. Here is an example line: 
    d_net_syslog { file("/var/log/syslog/remote/$HOSTNAME/syslog.log"); };
  5. Save the configuration file.

Those are the basic steps to start collecting Syslog messages and storing them to a file. You can get more sophisticated by adding in filters to direct messages to different files or add in explanations of each recorded event.

What is the default Syslog facility level?

The default Syslog facility level is Local4

How do I memorize Syslog levels?

The Syslog levels are:

  • Emergency (0)
  • Alert (1)
  • Critical (2)
  • Error (3)
  • Warning (4)
  • Notifications (5)
  • Information (6)
  • Debug (7)

Create a mnemonic to remember these. Take the first letter of each level type and make a memorable phrase with words that start with the same first letters. So, E, A, C, E, W, N, I, and D won’t make a meaningful word, but create a sentence that you can’t forget easily, put your name in there if it starts with one of those letters. Put in swear words, too so you will remember the phrase, but then make sure you don’t recite it out loud.

What is a Syslog server?

A Syslog server receives files sent by Syslog clients or sends out files in response to requests. The files are formatted following a protocol called Syslog, which defines the fields in each log message.