From Gentoo Wiki
Jump to:navigation Jump to:search

syslog-ng is a powerful, highly configurable monitoring and logging daemon.


USE flags

USE flags for app-admin/syslog-ng syslog replacement with advanced filtering features

amqp Enable support for AMQP destinations
caps Use Linux capabilities library to control privilege
dbi Enable dev-db/libdbi (database-independent abstraction layer) support
geoip2 Add support for geo lookup based on IPs via dev-libs/libmaxminddb
http Enable support for HTTP destinations
ipv6 Add support for IP version 6
json Enable support for JSON template formatting via dev-libs/json-c
kafka Enable support for Kafka destinations
mongodb Enable support for mongodb destinations
pacct Enable support for reading Process Accounting files (EXPERIMENTAL, Linux only)
python Add optional support/bindings for the Python language
redis Enable support for Redis destinations
smtp Enable support for SMTP destinations
snmp Add support for the Simple Network Management Protocol if available
spoof-source Enable support for spoofed source addresses
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking
tcpd Add support for TCP wrappers
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)


Install app-admin/syslog-ng:

root #emerge --ask app-admin/syslog-ng
It is a bad idea to run more than one system logger on a physical host. Other local loggers should be removed or disabled.

Additional software

When using a system logger such as syslog-ng, it is a wise idea to install log rotation software to appropriately trim the logs as they consume more disk space. Logrotate is a fine option:

root #emerge --ask app-admin/logrotate


The default configuration provided by the ebuild is quite minimal. For a more comprehensive configuration see the configuration provided for Hardened Gentoo in:



The default source for syslog messages is:

FILE /etc/syslog-ng/syslog-ng.conf
source src { unix-stream("/dev/log"); internal(); };

If the system is running systemd, the default source needs to be changed to the following[1]:

FILE /etc/syslog-ng/syslog-ng.conf
source src { systemd-journal(); internal(); };



Add the syslog-ng daemon to the default runlevel so that logging starts on system boot:

root #rc-update add syslog-ng default

Start the syslog-ng daemon now:

root #rc-service syslog-ng start


To start the syslog-ng daemon when the system boots enable the service:

root #systemctl enable syslog-ng@default

To start the daemon now:

root #systemctl start syslog-ng@default

See also

  • syslog-ng (Security Handbook) - The system logging with syslog-ng is covered in the Security Handbook.
  • Metalog — a alternative syslog daemon.
  • Rsyslog — open source system for high performance log processing.
  • Sysklogd — utility that reads and logs messages to the system console, logs files, other machines and/or users as specified by its configuration file.

External resources