Best free syslog servers for Linux and Windows

Syslog is a universal standard for system messages. It was originally implemented by a Unix utility, called Syslogd, but now it is used by a wide range of IT equipment, so just about every piece of computing kit that you buy will be able to send Syslog messages.

You can direct these messages to different log files according to the message severity level. But if you plan to make the most of the information, that data really should be processed or at least read.

To qualify as a Syslog server, a tool must be able to collect system messages written according to the Syslog protocol and store them. Syslog forwarding capabilities are handy, as is the ability to rotate logs — that means creating new files periodically.

Here’s our list of the best Syslog server tools for Linux and Windows:

  1. SolarWinds Kiwi Syslog Server EDITOR’S CHOICE The top choice for collecting, viewing and archiving syslog messages and SNMP traps. With a variety of filters and real-time monitoring options you can closely monitor your network and also send daily summaries. Free for up to five devices.
  2. Loggly (FREE TRIAL) Cloud-based log analyzer that uploads all of your log data to its servers. This service is for a fee, but there is a free Lite package.
  3. ManageEngine Event Log Analyzer (FREE TRIAL) Can be installed on Windows or Linux, operates as a Syslog server and includes a very intuitive and user-friendly dashboard.
  4. Site24x7 Server Monitoring (FREE TRIAL) A network, server, and application monitor that includes a log manager for Syslog and also Windows Events and application log messages. This is a cloud-based service.
  5. Opmantek opEvents (FREE TRIAL) A log file manager that is able to collect log messages from a range of sources, including Syslog. Installs on Linux.
  6. ManageEngine Log360 (FREE TRIAL) A SIEM system that includes a log collector and server that is able to extract Syslog messages from Linux computers. Runs on Windows Server.
  7. Paessler PRTG Network Monitor (FREE TRIAL) A comprehensive network, server, and application monitor that includes sensors for Syslog management.
  8. Progress WS_FTP Server This FTP server is able to manage the receipt of Syslog messages. The tool will run on Windows Server.
  9. Syslog Watcher A free Syslog server for Windows that writes Syslog messages to files or a database and includes record sorting and filtering functions.
  10. Fastvue Syslog Free Syslog server for Windows Server 2012 R2 and later. As well as writing messages to log files it will create checksum validation files that are protected by SHA-256 encryption.
  11. The Dude Free network analysis tool with an integrated Syslog server for Windows, Linux, and Mac OS.
  12. Nagios Log Server Integrated into Nagios XI (paid) and Nagios Core (free) for Windows and Linux. The free version is limited to a data throughput of 500 MB per day.
  13. Icinga 2 Free network monitoring system for Linux with an integrated Syslog server.
  14. Visual Syslog Server Collects Syslog messages and stores them to file as well as displaying them in a dashboard. The program is free and runs on Windows and Windows Server.
  15. Syslog-NG A free Syslog server for Linux that also collects Windows events over a network.
  16. NxLog A free Syslog server for Windows, Linux, Unix, and Android.
  17. Logstash A system message monitoring service for Linux that includes the storage of Syslog messages.
  18. Graylog A log management system for Linux that is free to use with log message data volumes of up to 5 GB per day.
  19. TFTPD32 Lightweight, free system message logger for Windows that includes monitoring for Syslog.

Syslog servers by OS

Syslog serverLinuxWindowsOther
Event Log AnalyzerYesYesNo
Opmantek opEventsYesNoNo
ManageEngine Log360NoYesNo
Paessler PRTGNoYesYes
Progress WS_FTP ServerNoYesNo
Syslog WatcherNoYesNo
Fastvue SyslogNoYesNo
The DudeYesYesYes
Nagios Log ServerYesYesNo
Icinga 2YesNoNo
Visual Syslog ServerNoYesNo

The Best Syslog Server Tools for Linux and Windows

If you don’t have a budget for tools, or if you don’t think that it is worth spending money just to look at log file messages, then check out our list of free syslog servers. Most review sites will give you a list of the five or 10 best syslog servers, but we have gone the extra mile and found 18 excellent syslog servers that are free to use.

What should you look for in Syslog server tools?

We reviewed the market for Syslog servers and analyzed the options based on the following criteria:

  • The ability to receive Syslog messages from any system
  • The option to receive log messages from other systems
  • Logfile consolidation
  • A log file manager
  • A log receiving record
  • Free options or a free trial period for assessment
  • A free tool that offers sufficient utilities or a tool that is worth paying for

1. SolarWinds Kiwi Syslog Server (FREE DOWNLOAD)

Kiwi screenshot

Kiwi is a syslog server utility from SolarWinds. The package costs $295, but there is a free version. You can use the system for free to monitor Syslog messages from up to five devices. The free package would only be suitable for small networks.

Key Features:

  • Collects Syslog messages and SNMP traps
  • Generates log files
  • Log record viewer
  • Free version

The Simple Network Management Protocol is based on the Syslog methodology, so Kiwi can also gather SNMP messages. A device-originated alert message is called an “SNMP Trap.” The Trap is an exception to regular SNMP procedures in which devices’ agents only respond with statuses when queried by a manager program. So, Traps are designed to signify high-risk conditions. The package includes Kiwi Syslog Web Access, which is a Web interface that you host on your own server and gives access to the console of the Syslog server from anywhere through any standard Web browser


  • Offers a freeware version for smaller networks
  • Captures both syslog and SNMP traps, ensuring nothing is missed
  • Interface is easy to use and allows for quick filtering based on application, location, or custom grouping
  • Color-coded warning level helps critical events pop out, and aids in prioritization
  • Affordable for any size network


  • Built for sysadmins, not the best option for home networks or non-technical users

The Kiwi system enables you to write event logs by IP address, date or by message source type. You can get alerts on high traffic conditions sent to your email notifications. However, if you get the paid version there are many more conditions that you can elect to be notified about by email. The Kiwi Syslog Server is only available for Windows. It can be installed on Windows Server 2008 R2, Windows Server 2012, Windows 7 SP1, Windows 8.1, and Windows 10.


Kiwi Syslog Server is the top choice for collecting, viewing and archiving syslog messages and SNMP traps. With a variety of filters and real-time logging windows, you can closely monitor your network and send daily email summaries. The free version is limited to 5 devices, but the full version, at only $295, is far more powerful with actions like sending emails, running programs and sending logs to a database. For both large and small networks, this is a great choice of Syslog server.

Get 30 Day Free Trial:

OS: Windows & Windows Server

2. Loggly (FREE TRIAL)

Loggly events

Loggly is a Cloud-based log consolidator and analyzer. As such, you don’t need to install any software on your premises, you just need to set up automated file transfer procedures to get your logs uploaded to the Loggly server.

Key Features:

  • Cloud-based log consolidator
  • Standardizes log messages from different sources

The Loggly system retains your Syslog messages in a standardized format. It will also accept logs from Amazon Web Services (AWS), Docker, Logstash, and a host of other log capture systems. All of these records get adapted so that the information in them can be accessed in a unified manner. Once your logs are in the Loggly system, you will be able to analyze them using the log analysis tools in the online service.

A big advantage of using Loggly is that you get storage space included in the deal. You need to back up all of your log files on a different site from your site to make sure that a proactive hacker doesn’t get into your system and remove all records of his activities. So you are going to need to look for a Cloud storage solution in any case. Signing up for the Loggly service gives you a bounce through to archiving your logs, while making the data available for analysis.

The length of time that your log data is available in the Loggly system depends on which of the four packages you sign up for. The Lite package is permanently free, but it only retains data for seven days and allows you only one user account. The Standard pack allows you transfers of one GB of data per day and will retain your records for a month. The Pro Loggly service has a variable pricing method. It allows you a data transfer allowance of between three and twenty GB per day with a retention period of between fifteen and ninety days. The top package is called Enterprise and this is tailored to the customer by the sales team.


  • Lives in the cloud, allowing syslog servers to scale regardless of onsite infrastructure
  • Setup is easy, no lengthy onboarding process
  • Can pull logs from cloud platforms such as AWS, Docker, etc
  • Data is immediately available for review and analysis
  • Offers a completely free version with limited retention


  • Would like to see a longer trial

All services are charged for by subscription and you can choose to pay either annually or monthly. You can try a paid account of Loggly on a 14-day free trial – you don’t need to give any payment details when you sign up for the trial. Your account will simply be reduced to the Lite package if you choose not to upgrade to the paid service at the end of the fourteen days.

Loggly Log Management Download 14-day FREE Trial

3. ManageEngine EventLog Analyzer (FREE TRIAL)

ManageEngine EventLog Analyzer

ManageEngine’s EventLog Analyzer operates as a Syslog server and is free for up to five log sources. The monitoring software can be installed on Windows or Linux, but it can monitor events arising on any operating system. The syslog data can originate in any type of network-connected equipment, including switches, routers, and virtual machines.

Key Features:

  • Syslog log manager
  • Functional dashboard
  • User rights management

You don’t have to put much work into setting up the system thanks to its autodiscovery feature. Syslog is a messaging standard implemented by just about all network-connected devices, so the EventLog Analyzer just needs to listen on the network for all Syslog-compliant messages sent out by the equipment connected to it. Each message contains a header that identifies its origin. That enables the Event Log Analyzer to build up a list of all hardware on the network and list alerts and status reports by IP address/origin.

The ManageEngine dashboard includes a lot of functionality that enables you to specify actions to perform on the collected Syslog data. A typical Syslog server requirement is to write all records to event logs. This action is available, but you can also query records in the dashboards and sort and filter messages. Archived logs can be compressed and encrypted. The encryption enables access rights to be imposed on user accounts, so the visibility of the data in Syslog files can be restricted to just a few network users with admin rights.


  • Offers a limited freeware version, good for smaller businesses
  • Works seamlessly with other ManageEngine tools, fits well into their environment
  • Can apply bulk actions to log data making it a good fit for enterprises and larger networks
  • Archived logs can be encrypted and have access rights applied to them, helpful in team environments


  • The platform has a large number of features and options which can take time to fully learn and implement

The EventLog Analyzer can also monitor SNMP messages. ManageEngine produces a comprehensive network monitoring system, called OpManager. A Free Edition of this tool is available allowing up to 5 log sources only. You can also download a 30-day free trial of the Premium Edition. For more pricing options, you can contact their sales team.

ManageEngine EventLog Analyzer Download 30-day FREE Trial

4. Site24x7 Server Monitoring (FREE TRIAL)

Site24x7 Server Monitoring

Site24x7 is a cloud-based platform of system monitoring tools. The services are sold in bundles of monitors and management tools and all include the Log Manager.

Key Features:

  • Syslog collector
  • Consolidates Syslog Windows Events, and application logs
  • Log file viewer
  • Log analysis tools

The Site24x7 Infrastructure plan is one of those bundles. IT offers networks, server, application, and website monitoring utility as well as the Log Manager. This system is almost entirely based in the Cloud. However, it requires an agent program to be installed on the monitored system. There is a version of the agent for Linux and another for Windows Server. Whichever version gets installed, the system can collect Syslog messages because it is able to gather data across a network.

The agent program uploads data, including Syslog messages, to the Site24x7 server for processing. The server puts all of the log messages that it receives into a common format and then files them. The standardization of message formats allows log messages gathered from different sources to be analyzed together.

The Site24x7 dashboard includes a log file viewer that has a number of data analysis tools built into it. These tools include the ability to search, sort, filter, and group messages.


  • One of the best platforms in terms of log visualization
  • Offers numerous templates and configurations that make the platform plug-and-play
  • Operates as a cloud service, lowering infrastructure costs and makes scaling easy
  • Log collector agent is available for both Windows and Linux
  • Pricing is based on data processed and retention rates, making this a viable option for both large and small businesses


  • Site24x7 is a more detailed platform designed for professionals, not the best fit for hobbyists or home users

The Site24x7 Infrastructure plan costs $9 per month when paid annually and it includes a log message processing allowance of 500 MB per month. This allowance can be upgraded for a fee: 10GB at$10 per month, 100GB at $95 per month and 1TB at $900 per month.

Site24x7 Infrastructure is available for a 30-day free trial.

Site24x7 Server Monitoring Start 30-day FREE Trial

5. Opmantek opEvents (FREE TRIAL)

Opmantek opEvents Event by Node Graphs

Opmantek opEvents is a Syslog collector that is also able to collect Windows Events and log messages from applications. The opEvents service will consolidate log messages from all sources by converting them into a common format before storing them in files.

Key Features:

  • Consolidator for Syslog and other log sources
  • Manages log files
  • Data viewer
  • Alerts on log message arrival rate

The system rotates files and gives them meaningful names, storing them in a logical directory structure so that individual log messages can be located manually. The dashboard for opEvents shows the arrival rate and sources for all messages as they are processed and it is possible to place performance expectation thresholds on this arrival rate. If log messages stop arriving or arrive at a faster or slower rate than expected, the system will raise an alert.

The dashboard also includes a data viewer. You can load in log files and then sort, group, and search through them, creating manual analysis queries. These queries can be stored so they can be applied to other files.


  • Features simple yet informative visualizations of your log events
  • Great user interface – sleek and easy to navigate
  • Offers power log consolidation, great for pulling data from diverse sources
  • Alerts can be configured if events haven’t been pulled at a specified rate
  • Solid alternative to cloud-based solutions


  • Does not offer a cloud version

The Opmantek system is centered on the Network Management Information System (NMIS), which is a free, open-source system. You have to install NMIS first because opEvents is an add-on and not a standalone service. opEvents is free for networks of up to 20 nodes. Both packages install on Linux. It is possible to install it on Windows over an Opmantek hypervisor. The full version of opEvents is a paid service and you can get it on a 30-day free trial.

Opmantek opEvents Start 30-day FREE Trial

6. ManageEngine Log360 (FREE TRIAL)

ManageEngine Log360 Dashboard

ManageEngine Log360 is a SIEM system that also acts as a log manager – those logs are the source data for the SIEM. This software package installs on Windows Server. However, it is able to collect Syslog messages from computers running Linux. It is also able to collect logs from computers running macOS and Windows. The different log messaging standards produce different message layouts, so the log manager in Log360 converts all of the messages that it receives into a common format.

Key Features:

  • Merges logs from Windows Events and Syslog
  • Gathers logs from software packages
  • Data viewer
  • Log processing statistics

The log messages can be viewed within the console as they arrive and they are also filed. The data viewer can recall a file for analysis. While manual analysis is possible, the system’s main value is its automated SIEM scanning.

The SIEM service identifies anomalous behavior. In order to do this, the service establishes a framework of normal behavior through the deployment of user and entity behavior analytics (UEBA). Differences from the standard trigger an alert. You can adjust the threshold for alert generation. Alerts can be fed through service desk ticketing systems, including ManageEngine ServiceDesk Plus, Jira, and Kayoko.


  • Gathers logs from more than 700 software packages
  • File integrity monitoring
  • Log management for Windows Events and Syslog
  • Coordinates with service desk tools


  • Not available as a SaaS package

ManageEngine Log360 is available in a Free edition to monitor up to 25 endpoints. The Professional edition is available for a 30-day free trial.

ManageEngine Log360 Start 30-day FREE Trial

7. Paessler PRTG Network Monitor (FREE TRIAL)

Paessler Syslog Receiver screenshot

Paessler PRTG Network Monitor is a very comprehensive network monitoring system. However, you can use PRTG for free if you have a small network. Paessler charges per “sensor.” A sensor is a condition or status on a network. The company counts Syslog as one sensor, and if you monitor 100 sensors or less, the system is free of charge. So, you will have 99 other network conditions that you can monitor before you have to pay.

Key Features:

  • Syslog collector sensor
  • Wires log records to a database
  • Manages Syslog database
  • Free version with limitations

You can download the PRTG software from the Paessler website and install it on Windows. There isn’t a version for Linux. However, you can opt to access the software as a cloud service, which is system agnostic.

The Syslog function in PRTG is called the Syslog Receiver. This sensor will gather all Syslog data traveling around your network and write them to a database. Once the messages are in the database, the subsequent management of those records depends on the settings that you specify for the system. You can get them written to log files, query them in the PRTG dashboard, and trigger actions under certain conditions.


  • Allows users to customize sensors to meet their specific needs
  • Free version allows monitoring with up to 100 sensors, great for smaller businesses
  • Offers both on-premise and cloud versions
  • A great choice for companies looking to also monitor other aspects of their business such as networks, applications, or infrastructure


  • Can take time to learn the platform, PRTG is rich with features and designed for enterprise use

PRTG is free if you only activate up to 100 sensors, which is more than enough to access the Syslog server monitors. You can download a 30-day free trial.

Paessler PRTG Start 30-day FREE Trial

8. Progress WS_FTP Server

Progress WS_FTP Server

Progress WS_FTP Server is a secure FTP server that has Syslog capabilities. The tool was originally developed by Ipswitch, which became part of Progress Software Corporation in 2019. The tool was first released in 1993, so it is very stable. The WS_FTP system has a graphical user interface, which makes it very easy to use.

Key Features:

  • Collects and files Syslog messages
  • Secure file transfers
  • Suitable for inter-site transfers
  • Protects transfers with SFTP, FTPS, HTTPS, and SCP

The WS_FTP system is not dedicated to managing Syslog messages. Therefore, it is useful for a range of file and data transfer tasks that your business might require. The tool can also be used for receiving Windows Event messages. However, the package does not include a log message consolidator.

For processing Syslog files, the WS_FTP system would need to be integrated into a workflow that could receive the Syslog messages and then process them into rotated logfiles, held in a meaningfully named directory structure. This orchestration can be managed by a sister product, called MOVEit Automation.

The general-purpose nature of the tool means that it can be deployed for many applications, which provides greater flexibility than a tool that is dedicated to processing Syslog messages.


  • A flexible FTP server that can be used for many different tasks
  • Syslog capabilities
  • Data processing automation by association with MOVEit Automation


  • No log consolidator

Progress offers WS_FTP in three editions: Basic, Secure, and PRemium. Each edition is available in different plans. The WS_FTP Secure edition would be appropriate for use as a Syslog server. Progress doesn’t publish its prices for the WS_FTP system, however, you can download and use the software on a 30-day free trial.

9. Syslog Watcher

Syslog Watcher

Syslog Watcher from EZ5 Systems is available for installation on Windows. This is a free Syslog server program with several extra Syslog monitoring features. As just about every device connected to your network sends out Syslog messages, the Syslog server has to work fast if you want it to do more than just collect and write those messages to a file. Syslog Watcher uses a multithreaded architecture, so the Syslog collection of new records isn’t held up by the completion of processing.

Key Features:

  • Collects Syslog messages
  • Writes to files or a database
  • Free to use for home use

The control dashboard gives you options on how to process messages. You aren’t limited to storing them in files because you have the option of writing them to a database. Getting your Syslog messages in a database gives you a lot more power to deal with event records because you can sort, filter, group, and count them. It allows you to combine events to generate customer alert conditions. You can get alert messages sent to you by email through the Syslog Watcher.

Syslog Watcher can monitor messages both over UDP and TCP, and it can operate with both the IPv4 and the IPv6 address systems.


  • Uses multi-threading for faster more efficient log processing
  • Allows you to write logs to a database, good for larger volumes of data that need reviewing
  • Allows monitoring over UDP or TCP, giving your more port options than other tools


  • Interface feels cluttered with a high volume of logs
  • Could use better event visualization features

UPDATE: Syslog Watcher is free for home use. Business users have to pay for the tool. However, EZ5 Systems offers a 30-day money-back guarantee. So, if you want to try it out for free, just use it for a month and then ask for your money back.

10. Fastvue Syslog

Fastvue Syslog screenshot

Fastvue specializes in system message reporting tools. One of its products is a free Syslog server utility. This software can be installed on Windows Server 2008 R2 and later versions of the Windows Server operating system.

Key Features:

  • Collects and stores Syslog messages
  • Manages log file directories
  • Free to use

The Syslog system collects incoming messages and writes them to event logs. That takes care of your basic Syslog server functionality. The dashboard of the Fastvue tool examines all of your archived files and gives you a report on each file’s size. Files are collated by date and each gets partnered by a verification file that stores a SHA-256 hash count. Keeping an eye on this information tells you whether a log file has been interfered with. This is a crucial function for intrusion detection because hackers will amend log files to hide their presence.

Fastvue Syslog compiles separate log files for each reporting device/IP address, so you end up with directories of files per device address. Each file contains a day’s worth of Syslog data messages originating from the device that the directory shadows.


  • Simple easy to use interface
  • Reports on file size, helping avoid any massive bulky log archives
  • Supports file integrity and encryption, ensuring data is not tampered with


  • Lacks visualization features
  • Not the best option if you need log analysis features builtin

This Syslog server focuses on creating and monitoring files of Syslog messages rather than making those records available for analysis. If you need a console to analyze records, you will need to import the log files into another application.

11. The Dude

The Dude screenshot

The Dude is a very widely used free network analysis tool that includes Syslog server functions. This app can be installed on any Windows version from Windows 2000 on, all flavors of Linux, and macOS. This tool is produced by MikroTik, a router manufacturer from Latvia.

Key Features:

  • Collects Syslog messages
  • Forwarding and filtering
  • Free to use

This system can monitor your network devices and collect Syslog data. It can process SNMP alerts, plus ICMP and DNS traffic. The Dude can monitor TCP traffic as well as UDP. The network monitoring features include autodiscovery and a network topology mapper.

The Syslog functions of The Dude can be accessed from a tab in the interface. The system can operate as a full Syslog server with extra forwarding and filtering capabilities. You can get The Dude just to send all records to a file, or specify rules to divert qualifying messages to other destinations, which might be separate event logs or the console of the system. You can also drop individual records and get the system to beep, flash, or display a popup message for custom alert conditions.


  • Installs on Windows, Linux, and Mac, making this one of the most flexible options for syslog servers
  • Can ingest SNMP alerts, ICMP requests, and DNS queries, giving you a wide variety of log collection options
  • Utilizes autodiscovery for network mapping and device identification
  • Supports log forwarding to other servers or applications


  • Not as lightweight as some other simple syslog servers
  • Interface can be challenging to learn

The Dude performs actions when it detects a given alert condition, including the execution of commands. The Dude can send you an email or make a spoken announcement upon the detection of a custom alert condition.

12. Nagios Log Server

Nagios Log Server

Nagios is based on an open-source project. The ability to download the source code for the system means you can use it for free. However, there are limits to the free version of Nagios. You can only use the system for free up to 500 MB of data throughput per day. The Nagios software can be installed on Windows and Linux.

Key Features:

  • Collects Windows Events and Syslog messages
  • Manages log files
  • Free version

The log server can gather information on Windows events, Linux syslogs, and network device syslogs. The application consolidates log messages in one central location. You can nominate physical servers to store event logs, distribute storage over a cluster of servers, even duplicate files in different locations to create backups.

The console allows you to view live streams of log messages and access previously-stored Syslog data. The interface includes sorting and filtering functions to help you analyze messages. You can specify alert conditions, which may be made up of a combination of statuses or designated as an alert on the frequency of specific message types coming in. The customization capabilities of Nagios even extend to the dashboard. It is possible to populate the dashboard with prioritized features, including message lists. Other elements you can place on the dashboard include data visualization tools, such as graphs, histograms, and charts.


  • Open-source free version available
  • Supports built-in event visualization
  • Offers multi-platform log collection on Linux and Windows systems
  • Offers a live view into event collection as it happens
  • Dashboard is highly customizable – good option for teams


  • Not as lightweight as some other simple syslog servers
  • Support isn’t as reliable as paid options
  • Bug fixes in open-source environments are left to the community

13. Icinga 2

Icinga Event Log screenshot

Icinga started as a fork of Nagios. Since its inception in 2009, this package has diverged from its predecessor. The latest version of the software is called Icinga 2 and it can be installed on Linux. The package comes in two parts. The Core system is the data processor and the latest version of this software is called Icinga 2. The backend can interface with a range of data management applications, including Graphite and InfluxDB. The Icinga team also produces its own front end, called Web 2.0, which is available from the Icinga website in a separate download.

Key Features:

  • Part of a system monitor
  • Collects Syslog messages
  • Free to use

Icinga 2 is a comprehensive network monitoring tool and one of its functions is a logging feature. You can set the logging source to Syslog data. Optionally, the logger can be set just to collect Syslog messages of a specific severity levell. It won’t limit message collection to just the nominated severity but will record all messages with the given severity, plus those with higher severity levels. The progression of message types is “debug,” “notice,” “information,” “warning,” and “critical.” The default level is “warning,” so if you just point the logger to Syslog without specifying a minimum severity level, it will pick up all warning and critical messages.

If you look at the Icinga website for a price, you won’t find one because this network monitoring tool is completely free.


  • Can customize the priority level on inbound logs
  • Allows developers to integrate the tool into other data ingesting applications, such as a SIEM
  • Is completely free


  • Antiquated interface, hard to use and cluttered

14. Visual Syslog Server

Visual Syslog Server screenshot

Visual Syslog Server is a small utility that collects Syslog data and displays them in a viewer. The records can also be written to event logs and rotated by date or file size. This application can be installed on Windows and it is available for free. The software can be installed on Windows XP and above and also on Windows Server 2003, 2008, and 2012.

Key Features:

  • Collector of Syslog messages
  • Data viewer
  • Free to use

In the dashboard, records are color-coded with error messages in red and warnings in yellow. Those colors can be customized. You get real-time views of the messages and you can also load records into the viewer from files.

Although this utility doesn’t have sophisticated graphics or message processing options, it is lightweight and fast, so it has a market. The viewer presents records and allows you to filter them and sort them. The interface can be set to play a sound when an alert condition is encountered. You can also set the application to send you an email when it encounters an alert or a warning. If your email system supports encryption, Visual Syslog Server will encrypt the notification emails that it sends to you.


  • Simple interface – utilizes color to aid in log prioritization
  • Powerful filtering options work quickly and are easy to learn
  • More user friendly than other tools


  • Better suited for smaller networks, features don’t work as well at scale
  • Lacks event visualization
  • Alert notifications are limited

This is a handy, free, ready to use strong Syslog tool that gets the job done.

15. Syslog-NG

Syslog-ng screenshot

Syslog-NG is an open-source package that is free to use. The software for Syslog-NG can only be installed on Linux. However, the log management system can collect Windows event data as well as standard Linux, Unix, and device firmware-generated Syslog messages.

Key Features:

  • Forwards messages
  • Writes to database
  • Free to use

The Syslog-NG system will collect all Syslog (and Windows events) messages from the devices connected to your network, recording the source IP address. The default destination for those records is to event logs. However, you can also forward Syslog messages to other applications or insert them into an SQL database. Syslog-NG is a pure Syslog server in that it just deals with capturing Syslog messages. Syslog-NG reorganizes system messages arriving in different formats so they are stored in the same layout.

Other Syslog servers on this list can analyze data from the messages. Some Syslog servers have attractive dashboards with data visualization features. You don’t get any of that with Syslog-NG. If you want to get more functionality to process your Syslog messages, you will need to add on a data analysis tool.


  • Completely free and open source
  • Can collect data on Linux, Unix, and Windows, a good flexible option for networks running multiple operating systems
  • Supports data forwarding into a database format, great for long term archiving


  • Interface is cluttered, hard to navigate
  • System monitor visualization could be improved
  • Doesn’t support data analysis

16. Nxlog

Nxlog screenshot

This review includes Syslog server programs that can be installed on Windows and/or Linux. Nxlog can be installed on either of those operating systems and also on Unix and Android. Whichever operating system you install this system on, it will be able to collect Syslog data from all the others — Unix, Linux, Windows, and Android.

Key Features:

  • Suitable for Windows, Unix, Linux, and Android
  • Multithreaded architecture
  • Free to use

Nxlog is a straightforward message collection system. It can operate over UDP and TCP and it can receive messages protected by TLS encryption. Messages get written to files and can also be stored in databases. In all cases, Nxlog creates a standard record format that unites data from disparate sources. A multithreaded architecture enables this tool to handle hundreds of thousands of messages per second, making it suitable for all sizes of a network.


  • Supports Windows, Unix, Linux, and uniquely Android as well
  • Lightweight application – uses very few resources
  • Multi-threaded architecture enables the tool to process large volumes of data
  • Completely open-source and free


  • Interface is barebones, lacking many features found in similar tools
  • No event visualization

The Nxlog system is open-source and you can use it free of charge. There aren’t any analytical functions in this tool, so if you want to view records or manipulate them in any way, you will need to find a separate front end for analysis. This is a straightforward message collection and logfile creation facility, making it a pure Syslog server.

17. Logstash

Logstash screenshot

Logstash is part of a suite of utilities called “Elastic Stack.” This group of tools is produced by a group of developers whose first product is called Elasticsearch. Elasticsearch is a second element in the Elastic Stack, as is Kibana. The division of labor between these three packages is that Logstash collects log messages, Elasticsearch enables you to sort and filter those messages for analysis, and Kibana interprets and displays the data. All of the Elastic Stack programs run on Linux.

Key Features:

  • Part of the ELK stack
  • Collects from cloud platforms
  • Free to use

Kibana makes a great front-end for any of the other Syslog servers in this list. As the event message collection service for the stack, Logstash operates as a Syslog server. The utility listens on the network for messages sent from a wide range of sources. To record a specific stream, you need to install a plug-in for that data type. You can just install the Syslog plug-in, or add in other plug-ins to include other data sources.

Logstash also gathers data from cloud services including AWS. It can collect data from applications such as Ganglia, Salesforce, Graphite, Kafka, and Twitter. You can set the collection process to include TCP and UDP messages and it can receive messages encrypted with TLS. Logstash can read messages from a file, from a database, pick up SNMP messages, IRC and RSS feeds, and get messages from mail servers.


  • Great user interface, highly visual with easy to navigate toolbar
  • Part of the Elastic Stack – leverages a large open-source community
  • Supports gathering information from cloud sources like AWS
  • Uses Elasticsearch for filtering, one of the most flexible search tools available


  • Must install plugins for every data type you collect
  • No paid support option, bugs and issues are resolved by the community

Logstash can filter, divert, and reformat messages during processing. The program stores records in files or inserts them into databases. The utility is written to integrate with Elasticsearch and can send data directly to that application. Similarly, Logstash can be set to output data to Loggly, Nagios, AWS, Graphite, and Graylog. Other plug-ins will notify you of new log data by email or by Slack message. Logstash is available free of charge.

18. Graylog

Graylog screenshot

Graylog is a log management system available for Linux. This is a sophisticated Syslog data analysis tool. However, you can just take advantage of its message collection and storage capabilities to use it as a pure Syslog server. Graylog is free for data volumes of 5 GB or less per day. Owners of small networks won’t have to pay anything to use it. The data analysis functions don’t generate extra data throughput. You don’t get any support with the free version of Graylog. However, a community forum on the Graylog website is filled with tips and tricks from other users.

Key Features:

  • Runs on Linux
  • Active user community
  • Free to use

Graylog sits on top of Virtual Machine software. This underlying system in Linux includes the rsyslog facility. It is rsyslog that will perform your Syslog message gathering and storage functions. You can manage rsyslog through the Graylog interface. If you pay for Graylog, you can also gather data through the Sidecar system. This allows you to store event logs on Windows computers.

The front-end for Graylog is browser-based. This will display inputs by type, so you will be able to see your Syslog messages together in one section of the dashboard. You can customize the dashboard, so if you set the system to gather messages from several sources, you don’t have to show the information from other sources on the same page as your Syslog messages. Widgets available for the dashboard include data visualization, such as histograms.

The dashboard enables you to create your own alert conditions. You specify each alert based on a data stream type. For example, you can pick the Syslog UDP stream and then set up an alert condition on the number of warning messages that come through. System settings enable you to get alerts sent to you as email notifications. Stream handling procedures enable you to parse records, forward them, or store them to file or database.


  • Open-source tool with large community
  • Free for users who use less than 5GB of data per day, making it a good option for smaller growing businesses
  • Browser-based dashboard allows users to track their logs from anywhere


  • Has a steeper learning curve than other products
  • Requires more time to learn the platform that other tools

19. TFTPD32/64

TFTPD64 screenshot

TFTPD is a small utility for Windows. The package is available as a 32-bit or a 64-bit application. The central element of this software is a TFTP client implementation. That client can be set to receive network messages from DHCP, DNS, and SNTP servers. It is also able to receive Syslog data.

Key Features:

  • GUI and command line
  • DHCP and DNS server
  • Free to use

This is a simple open-source utility that displays messages in the dashboard as they arrive. Buttons over the viewer give you the ability to view messages by type and Syslog is one of the message types that can be featured. You see messages as they travel on their way to event logs and the viewer also names the file that Syslog messages should be stored to. This utility doesn’t give you much functionality for data analysis. However, you can also read in records from a file and then you have the ability to sort and filter messages.


  • Lightweight alternative to other more modern options
  • Can be used in other capacities since its a TFTP server
  • Available for free


  • No data analysis tools
  • No event visualizations
  • Outdated user interface

TFTPD can work with IPv6 addresses as well as IPv4 addresses. TFTPD32 and TFTPD64 are both available for free.

What you need to know about Syslog Servers and Clients

The concept of a “Syslog server” really refers to an application that deals with syslog messages rather than the provision of a dedicated computer to receive the messages. So, don’t get misdirected by that “server” word in there.

The server/client model is a little difficult to grasp in Syslog terms, too. Usually, the client contacts the server and the server responds. In syslog, the syslog client is just a program that broadcasts error, warning, and debugging messages. The syslog client doesn’t have any direct contact with a counterpart: it sends out the messages whether or not anyone is listening for them. Syslogd is a daemon. This is a Syslog collector and so is judged to be the server, even though it never responds to the originator of the messages. The daemon may be running locally, or it can also be implemented as a remote syslog server by connecting over the internet.

Although the Syslog standard has been codified by the Internet Engineering Taskforce, there are so many implementations of Syslog that some variation in the syslog data message format exists. With all of the different message types you could be benefiting from, you need to get a tool to sort through them all.

The definition of the Syslog standard is freely available to the public but it is not regarded as an “open source project.” This is because “open source” refers to freely available program code, but Syslog is a standard, rather than a program. However, there are open source Syslog server implementations out there.

Syslog and Windows

The Syslog standard was written for Unix and it is also available for Unix-like operating systems, including Linux and Mac OS X. Syslog is also used by many network devices for error reporting. Syslog doesn’t operate on Windows. The Windows operating system has its own log messaging system, called Events.

The division of log systems between Windows and Linux into two separate and incompatible standards shouldn’t cause you a problem. You can unify these log file messages in one central location so security software, such as intrusion detection systems can get a system-wide view of events.

Network equipment will automatically broadcast Syslog messages on the network. That means that any device can pick the messages up. The Syslog standard specified that log messages should be circulated to UDP port 514 or TCP port 1468. The destination of messages on a Linux server is dictated by the syslogd or syslog-ng configuration file. These can be directed to the network on the well-known UDP or TCP port.

Once you have the Syslog messages circulating on the network, software running on Windows can pick them up, so you don’t have to stick to Syslog server software for Linux to collect these important messages. Many excellent Syslog servers are written to run on Windows.

Syslog Messages

Syslog messages can be regarded as the Linux/Unix equivalent of Windows Event Logs. So, you could refer to them as “Syslog events.” They supply the essential information and will support your system administration tasks through:

  • Warnings of equipment failure – which get written to a log file
  • Capacity exhaustion monitoring – through pre-set warning levels which you set yourself
  • Alerts of unexpected events – abnormal activity may indicate compromised user accounts
  • Network intrusion detection – spot unauthorized devices and access to unexpected locations on the internet

The records in your syslog files are written there because the producers of your software and devices judged certain events to be of significance, so it is a mistake to ignore this rich source of system activity and status information. So download a Syslog collector and activate it.

Syslog Port Numbers

Syslog operates over UDP, so expect activity on UDP port 514 of your network devices. This is caused by all of those Syslog event messages circulating around your network. UDP port 514 is used by Syslog clients to send messages and also by Syslog servers to listen for messages. Therefore it is both the source and destination port on all standard Syslog communications. Don’t close it. Be suspicious of activity on TCP port 514. This is a port known to be used by the ADM worm and it is not used for Syslog.

There are secure Syslog implementations. A secure Syslog service needs to establish a connection, you cannot use a UDP port for them. The secure version of Syslog is known as Syslog over TLS and it uses TCP port 6514. If you want to operate a remote Syslog server connecting to a network across the internet, you need to go the Syslog over TLS route because unencrypted Syslog events being sent over the internet would seriously undermine your network security.

Choosing Syslog server software

As you can see from the description of the tools in our list, you can choose a straightforward Syslog server, or opt for an analytical tool or a network monitoring system that incorporates Syslog server functions.

Beyond the basic functions of transferring Syslog messages to files, you can look for the capabilities to sort and filter messages. The ability to vary processing according to message types and drop debug messages and information notifications is useful. A programmer might need to see those debug messages, and so the ability to selectively direct message types to a viewer, a log file, or to a database can be very useful.

The evolution of Syslog processing to store records in a database rather than a file offers you great power. It is far easier to index, sort, search, and filter records in a database than it is to manipulate file records. This is because databases include a structured query language that enables you to isolate fields in records and perform selection, grouping, and exclusion functions on data without altering the original stored records.

Another useful advancement in the Syslog servers available today is a system that can collect messages generated by other platforms and protocols, such as the Windows event logger. If your Syslog server can create standardized record formats, that takes you another step further along the route to collect important information about your system.

Getting alerts created for the conditions reported by Syslog will also give you extra power to focus your energy on essential tasks. The ability to create your own alert conditions represents an advancement in Syslog processing. Sometimes, the contents of a message might not create concern. However, a sudden surge in the frequency of such messages should become an alert and you can specify such conditions in many of the Syslog servers listed in this full review. The ability to combine a count of message types or error conditions is another useful feature that many modern Syslog servers include.

A Syslog server embedded in a network centralized management tool can provide excellent analysis capabilities. If you already have all the analytical tools you need, then you would be better off focusing on the vanilla Syslog server tools in this review. However, if you have very little budget for system management software and you don’t currently have any analytical tools, then go for a free system management utility that includes a Syslog server to keep control of your IT infrastructure.

Managing IT services requires proper tools. Take a look at the free software recommended in this full review that fits your operating system. Our Editor’s choice is an excellent place to start and the SolarWinds Kiwi Syslog Server is a comprehensive logging tool. Take a little time to play around with each tool so you can discover their features for yourself. Given that all of these tools are free, you have nothing to lose but the time it takes to learn them.

Syslog Server FAQs

How do I access my Syslog server?

The access method for a Syslog server depends on your operating system and the specific Syslog server that you chose to install. On Linux, the Syslog server is more likely to be a command line utility. If you have a Linux flavor with a graphical interface, such as Ubuntu, you might be able to have a GUI Syslog server package. 

GUI interfaces are very common for Windows-based Syslog servers. In these cases, the installer may well have created a shortcut icon on your Desktop. If you don’t see it there, click on the Start menu button and search through that list of available programs.

How do I create a Syslog server?

Syslog is a Linux utility, so it is better to create a Syslog server on a Linux machine:

  1. Install syslog-ng, which you can get from here. On Debian, you don’t need to download the utility. Instead type at the command line:
    apt-get install syslog-ng

    On RHEL, enter:

    yum install syslog-ng
  2. Locate /etc/syslog-ng/syslog-ng.conf and make a backup of it then edit it. Alter the configuration settings so the options look like:
    options {(off);
  3. Create a listener with the flowing line in the configuration file:
    source s_net {
    tcp((ip( port(1000) max-connections 5000)); udp ();
  4. Set up a destination for the syslog messages. You can actually set up redirections for each source of message to different log file names. Here is an example line:
    d_net_syslog { file("/var/log/syslog/remote/$HOSTNAME/syslog.log"); };
  5. Save the configuration file.

Those are the basic steps to start collecting Syslog messages and storing them to a file. You can get more sophisticated by adding in filters to direct messages to different files or add in explanations of each recorded event.

What is the default Syslog facility level?

The default Syslog facility level is Local4

How do I memorize Syslog levels?

The Syslog levels are:

  • Emergency (0)
  • Alert (1)
  • Critical (2)
  • Error (3)
  • Warning (4)
  • Notifications (5)
  • Information (6)
  • Debug (7)

Create a mnemonic to remember these. Take the first letter of each level type and make a memorable phrase with words that start with the same first letters. So, E, A, C, E, W, N, I, and D won’t make a meaningful word, but create a sentence that you can’t forget easily, put your name in there if it starts with one of those letters. Put in swear words, too so you will remember the phrase, but then make sure you don’t recite it out loud.

What is a Syslog server?

A Syslog server receives files sent by Syslog clients or sends out files in response to requests. The files are formatted following a protocol called Syslog, which defines the fields in each log message.