syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, queueing, SQL & NoSQL.
C Java Python Makefile CMake Shell Other
Switch branches/tags
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
Mk Merge pull request #2092 from balabit/h/python3 Jun 28, 2018
cmake cmake: libcap detection Aug 13, 2018
contrib version: 3.17.1 Aug 8, 2018
dbld dbld/devshell: add clang Jul 26, 2018
dev-utils/plugin_skeleton_creator plugin_skeleton_creator: cmake shared libraries instead of modules Jun 27, 2018
doc version: 3.17.1 Aug 8, 2018
lib Merge pull request #2227 from Kokan/cap_syslog Aug 15, 2018
libtest libtest: extract and publish stop_stopwatch_and_get_result() function Jul 18, 2018
m4 configure: support java in FreeBSD Aug 9, 2016
modules Merge pull request #2227 from Kokan/cap_syslog Aug 15, 2018
packaging version: 3.17.2 Aug 10, 2018
scl linux-audit: add to scl list in build system Aug 14, 2018
scripts dist: add missing files to tarball Jun 27, 2018
syslog-ng-ctl syslog-ng-ctl: fixing a memleak Jul 4, 2018
syslog-ng autotools: fixing broken static linking mode Jun 29, 2018
tests version: 3.17.1 Aug 8, 2018
.astylerc astyle: do not exclude afamqp only the submodule rabbitmq-c under afamqp Oct 5, 2017
.gitignore dbld/rules: allow a config file to override options in rules May 28, 2018
.gitmodules amqp: remove rabbitmq-c submodule and its support May 23, 2018
.travis.yml travis: improve displaying of test-suite.log Aug 12, 2018
AUTHORS lib/compat/strcasestr.c: added copyright of origin, extended COPYING … Jan 22, 2016
CMakeLists.txt cmake: libcap detection Aug 13, 2018 COPYING, updated directory structure and clarified l… Jan 22, 2016
COPYING modules/native: relicensed under the LGPL Jan 22, 2016
GPL.txt relicense syslog-ng to a combination of GPL/LGPL Jul 14, 2010 Manpages: update to 3.11 Jul 19, 2017
LGPL.txt Major copyright & license fixups Nov 12, 2012 libtest: add assert_grabbed_log_contains() Jul 18, 2018 version: 3.17.2 Aug 10, 2018 version: 3.17.1 Aug 8, 2018
VERSION version: 3.17.2 Aug 10, 2018 amqp: remove rabbitmq-c submodule and its support May 23, 2018 compat: remove compat function g_mapped_file_unref() Jul 13, 2018 syslog-ng: print versioning infos, set package name Jul 19, 2017
requirements.txt dbld: add support for Debian stretch Jul 18, 2018 build scripts: added copyright declaration, renamed Apr 1, 2016 cmake: detect strtok_r Jul 8, 2018
syslog-ng-native-connector.pc.cmake cmake: add syslog-ng-native-connector.pc.cmake file May 21, 2016 Makefile: add pkg-config file for syslog-ng-native-connector.a Dec 8, 2015
syslog-ng.pc.cmake syslog-ng-dev: evtlog should be linked Mar 22, 2018 syslog-ng-dev: evtlog should be linked Mar 22, 2018 configure: use PACKAGE_VERSION variable instead of VERSION Mar 4, 2016
syslog-ng.supp Makefile: add valgrind suppressions Dec 10, 2015

Gitter Build Status


syslog-ng is an enhanced log daemon, supporting a wide range of input and output methods: syslog, unstructured text, message queues, databases (SQL and NoSQL alike), and more.


The easiest configuration that accepts system logs on /dev/log (from applications or forwarded by systemd) and writes everything to a single file is as follows:

@version: 3.17
@include "scl.conf"

log {
	source { system(); };
	destination { file("/var/log/syslog"); };

This one also processes logs from the network (TCP/514 by default):

@version: 3.17
@include "scl.conf"

log {
	source {
	destination { file("/var/log/syslog"); };

Structured/application logging, local submission via JSON, output in key=value format:

@version: 3.17
@include "scl.conf"

log {
	source { system(); };
	destination { file("/var/log/app.log" template("$(format-welf --subkeys .cim.)\n")); };

Here's how to submit a structured message using "logger":

$ logger '@cim: {"name1":"value1", "name2":"value2"}'

and the result will be:

name1=value1 name2=value2

For a brief introduction to configuring the syslog-ng application, see the quickstart guide.


  • receive and send RFC3164 and RFC5424 style syslog messages
  • work with any kind of unstructured data
  • receive and send JSON formatted messages
  • classify and structure logs with built-in parsers (csv-parser(), db-parser(), kv-parser(), ...)
  • normalize, crunch, and process logs as they flow through the system
  • hand over messages for further processing using message queues (like AMQP), files or databases (like PostgreSQL or MongoDB), and
  • forward log messages to big data tools like Elasticsearch, Apache Kafka, or Apache Hadoop.


  • syslog-ng provides performance levels comparable to a large cluster while running on a single node.
  • In the simplest use case, it scales up to 600-800k messages per second.
  • But classification, parsing, and filtering still produce several tens of thousands messages per second.


  • syslog-ng is developed by a community of volunteers, the best way to contact us is via our github project page project, our gitter channel or our mailing list.
  • syslog-ng is integrated into almost all Linux distributions and BSDs, it is also incorporated into a number of products, see our powered by syslog-ng page for more details.


  • Balabit is the original creator and the largest current sponsor of the syslog-ng project, they provide support, professional services, and addons you might be interested in.


We are really interested in who uses our software, so if you do and you like what you see, please tell us about it. A "star" on github, an email with "thanks" in it is lots already, but learning about your use case, experience, things to improve would be most appreciated.

Just send an email to feedback (at)

Should not take more than a minute, right? Now go ahead. Please.


Installation from source

Releases and tarballs ready to compile are are made available on GitHub.

To compile from source, the usual drill applies (assuming you have the required dependencies):

$ ./configure && make && make install

If you don't have a configure script (because of cloning from git, for example), then run ./ to generate it.

Some of the functionality is compiled only in case the required development libraries are present. The configure script displays a summary of enabled features at the end of its run. For details, see the syslog-ng compiling instructions.

Installation from binaries

Binaries are available in various Linux distributions and contributors maintain packages of the latest and greatest syslog-ng version for various OSes.


Simply invoke the following command as root:

# apt-get install syslog-ng

The latest versions of syslog-ng are available for a wide range of Debian and Ubuntu releases and architectures from an unofficial repository.

For instructions on how to install syslog-ng on Debian/Ubuntu distributions, see the blog post Installing the latest syslog-ng on Ubuntu and other DEB distributions.


syslog-ng is available as a Fedora package that you can install using yum:

# yum install syslog-ng

You can download packages for the latest versions from here.

For instructions on how to install syslog-ng on RPM distributions, see the blog post Installing latest syslog-ng on RHEL and other RPM distributions.

If you wish to install the latest RPM package that comes from a recent commit in Git for testing purposes, then read the blog post RPM packages from syslog-ng Git HEAD.


Binaries for other platforms are listed on the official third party page.

Installation from Docker image

Binaries are also available as a Docker image. To find out more, check out the blog post Your central log server in Docker.


The documentation of the latest released version of syslog-ng Open Source Edition is available here. For earlier versions, see the syslog-ng Documentation Page. For ancient versions, see the Balabit Documentation Archive.


If you want to modify the source of syslog-ng, for example, to correct a bug or develop a new module, the syslog-ng gitbook helps you to take the first steps with the code base.