syslog server

Hi nanog community

I need help !!

What is the best syslog server (opensource)?

Thanks for your help


Step 0: Define what "best" means in your environment.

What features do you need? Routing to a central aggregation server over TLS?
Powerful regex-based routing? Ingestion into a database (a la splunk or Elk)
for data mining? Ability to deal with insanely high message rates? Other
must-have or don't-care features? License pricing? Vendor support?

Step 1: After figuring out what you need, make a matrix of the available
options and how well they fit.

(We have in production syslog-ng, rsyslog, splunk, Elk, and probably a few
others I've forgotten, for different purposes....)

+1 on Graylog


    I'll say an ELK stack, but seeing the original question...

    I got to ponder on the capacity of the OP.

I’m a big fan of Graylog.


There is no "best" when it comes to something like Syslog. There is only "best fit for your requirements". In order to determine that, you'll have to figure out what your goals and requirements are.

If you're just trying to do something basic and simple, like get logs from one machine to another, you should probably use what is available and supported by your vendor/distribution. For Debian/Ubuntu, you have Syslog-NG and RSyslog available. For Red Hat/CentOS, you have RSyslog as the default, and Syslog-NG available in EPEL. For other Operating Systems, you'll have to talk to your vendor or do some additional research.

If you want to do more than basic log shipping, then you've got some research to do. You need to map out the problem you're trying to solve, and decide on the requirements to accomplish it. Basic syslog is pretty easy. Enterprise log management is a lot more complicated. You start throwing in log aggregation, retention requirements, reliability requirements, encryption, log search, monitoring and alerting, etc., and you've got yourself a project.

There are multiple excellent Open Source solutions, but without knowing what you're trying to accomplish, it's difficult to recommend anything.

+1 for ELKK (with kafka)
Doing several hundred GB of log per day with a dozen instances on AWS (ES
cluster + logstash hosts + kafak cluster)


Journald is excellent. The binary storage format is a huge leap forward.


Greylog and Logstash are for having a convenient index of log messages,
but they're not particularly robust.

I've not seen syslog-ng crash, so I use it for collecting (and shipping)
log data. Logstash is convenient, pretty, and utterly unreliable. You
end up needing both.

- ---
Lars Lehtonen