diff --git a/app-admin/syslog-ng/files/3.6/syslog-ng.rc6 b/app-admin/syslog-ng/files/3.6/syslog-ng.rc6
old mode 100644
new mode 100755
index 8242c2b..deb551f
--- a/app-admin/syslog-ng/files/3.6/syslog-ng.rc6
+++ b/app-admin/syslog-ng/files/3.6/syslog-ng.rc6
@@ -1,19 +1,20 @@
 #!/sbin/runscript
-# Copyright 1999-2014 Gentoo Foundation
+# Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/3.6/syslog-ng.rc6,v 1.2 2014/12/18 19:51:36 mr_bones_ Exp $
 
 SYSLOG_NG_CONFIGFILE=${SYSLOG_NG_CONFIGFILE:-/etc/syslog-ng/${RC_SVCNAME}.conf}
-SYSLOG_NG_STATEFILE_DIR=${SYSLOG_NG_STATEFILE_DIR:-/var/lib/syslog-ng}
-SYSLOG_NG_STATEFILE=${SYSLOG_NG_STATEFILE:-${SYSLOG_NG_STATEFILE_DIR}/syslog-ng.persist}
-SYSLOG_NG_PIDFILE_DIR=${SYSLOG_NG_PIDFILE_DIR:-/run}
+SYSLOG_NG_STATEFILE_DIR=${SYSLOG_NG_STATEFILE_DIR:-/var/lib/${RC_SVCNAME}}
+SYSLOG_NG_STATEFILE=${SYSLOG_NG_STATEFILE:-${SYSLOG_NG_STATEFILE_DIR}/${RC_SVCNAME}.persist}
+SYSLOG_NG_PIDFILE_DIR=${SYSLOG_NG_PIDFILE_DIR:-/var/run/${RC_SVCNAME}}
 SYSLOG_NG_PIDFILE=${SYSLOG_NG_PIDFILE:-${SYSLOG_NG_PIDFILE_DIR}/${RC_SVCNAME}.pid}
+SYSLOG_NG_CONTROLFILE=${SYSLOG_NG_CONTROLFILE:-${SYSLOG_NG_PIDFILE_DIR}/${RC_SVCNAME}.ctl}
 
-SYSLOG_NG_GROUP=${SYSLOG_NG_GROUP:-root}
-SYSLOG_NG_USER=${SYSLOG_NG_USER:-root}
+SYSLOG_NG_GROUP=${SYSLOG_NG_GROUP:-${RC_SVCNAME}}
+SYSLOG_NG_USER=${SYSLOG_NG_USER:-${RC_SVCNAME}}
 
 command="/usr/sbin/syslog-ng"
-command_args="--persist-file \"${SYSLOG_NG_STATEFILE}\" --cfgfile \"${SYSLOG_NG_CONFIGFILE}\" --pidfile \"${SYSLOG_NG_PIDFILE}\" ${SYSLOG_NG_OPTS}"
+command_args="--persist-file \"${SYSLOG_NG_STATEFILE}\" --cfgfile \"${SYSLOG_NG_CONFIGFILE}\" --control \"${SYSLOG_NG_CONTROLFILE}\" --pidfile \"${SYSLOG_NG_PIDFILE}\" ${SYSLOG_NG_OPTS}"
 extra_commands="checkconfig"
 extra_started_commands="reload"
 pidfile="${SYSLOG_NG_PIDFILE}"
@@ -22,7 +23,6 @@ description="Syslog-ng is a syslog replacement with advanced filtering features.
 description_checkconfig="Check the configuration file that will be used by \"start\""
 description_reload="Reload the configuration without exiting"
 required_files="${SYSLOG_NG_CONFIGFILE}"
-required_dirs="${SYSLOG_NG_PIDFILE_DIR}"
 
 depend() {
 	use clock
@@ -42,8 +42,9 @@ start_pre() {
 	checkpath \
 		-d \
 		--mode 0700 \
-		--owner "${SYSLOG_NG_OWNER}:${SYSLOG_NG_GROUP}" \
-		"${SYSLOG_NG_STATEFILE_DIR}"
+		--owner "${SYSLOG_NG_USER}:${SYSLOG_NG_GROUP}" \
+		"${SYSLOG_NG_STATEFILE_DIR}" \
+		"${SYSLOG_NG_PIDFILE_DIR}"
 }
 
 stop_pre() {
diff --git a/app-admin/syslog-ng/metadata.xml b/app-admin/syslog-ng/metadata.xml
index db015d1..f37ae13 100644
--- a/app-admin/syslog-ng/metadata.xml
+++ b/app-admin/syslog-ng/metadata.xml
@@ -8,6 +8,7 @@
 <use>
 	<flag name='amqp'>Enable support for AMQP destinations</flag>
 	<flag name='smtp'>Enable support for SMTP destinations</flag>
+	<flag name='extra-caps'>Permit more Linux capabilities</flag>
 	<flag name='spoof-source'>Enable support for spoofed source addresses</flag>
 	<flag name='json'>Enable support for JSON template formatting via <pkg>dev-libs/json-c</pkg></flag>
 	<flag name='mongodb'>Enable support for mongodb destinations</flag>
diff --git a/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild b/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild
index aea6cb4..2ed0ad1 100644
--- a/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild
+++ b/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild
@@ -3,7 +3,7 @@
 # $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/syslog-ng-3.6.2.ebuild,v 1.7 2015/03/25 14:01:18 ago Exp $
 
 EAPI=5
-inherit eutils multilib systemd versionator
+inherit eutils fcaps user multilib systemd versionator
 
 MY_PV=${PV/_/}
 MY_PV_MM=$(get_version_component_range 1-2)
@@ -14,7 +14,8 @@ SRC_URI="http://www.balabit.com/downloads/files/syslog-ng/sources/${MY_PV}/sourc
 LICENSE="GPL-2+ LGPL-2.1+"
 SLOT="0"
 KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc x86 ~x86-fbsd"
-IUSE="amqp caps dbi geoip ipv6 json mongodb pacct redis smtp spoof-source ssl systemd tcpd"
+IUSE="amqp caps dbi extra-caps geoip ipv6 json mongodb pacct redis smtp spoof-source ssl systemd tcpd"
+REQUIRED_USE="extra-caps? ( filecaps )"
 RESTRICT="test"
 
 RDEPEND="
@@ -37,6 +38,13 @@ DEPEND="${RDEPEND}
 
 S=${WORKDIR}/${PN}-${MY_PV}
 
+pkg_setup() {
+	if use caps; then
+		ewarn "\"caps\" USE flag is only useful for limiting privileges when running syslog-ng as root."
+		ewarn "It is suggested to use \"filecaps\" instead and run as syslog-ng user."
+	fi
+}
+
 src_prepare() {
 	epatch "${FILESDIR}"/${MY_PV_MM}/${P}-redis.patch
 	cp "${FILESDIR}"/*logrotate*.in "${TMPDIR}" || die
@@ -110,6 +118,28 @@ src_install() {
 }
 
 pkg_postinst() {
+	enewuser syslog-ng
+
+	# Capabilities, see 'man capabilities 7' for more info:
+	#
+	# 'cap_syslog' is required to read /proc/kmsg, if disabled syslog-ng fails with these errors:
+	# 	Error opening file for reading; filename='/proc/kmsg', error='Operation not permitted (1)'
+	# 	Error initializing message pipeline;
+	#
+	# 'cap_dac_override' is required to read /dev/log, if disabled syslog-ng fails with these errors:
+	# 	Error binding socket; addr='AF_UNIX(/dev/log)', error='Address already in use (98)'
+	# 	Error initializing message pipeline;
+	#
+	# 'cap_chown' is required to change owners of logs
+
+	# enable minimal required for standalone logger capabilities
+	logger_caps='cap_chown,cap_dac_override,cap_syslog'
+	# enable all capabilities from syslog-ng/main.c BASE_CAPS
+	use extra-caps && logger_caps+=',cap_chown,cap_dac_read_search,cap_net_bind_service,cap_net_broadcast,cap_net_raw'
+
+	chown root:syslog-ng "${EROOT}"/usr/sbin/syslog-ng || die
+	fcaps -o root -g syslog-ng -m 4710 -M 0710 "${logger_caps}+ep" /usr/sbin/syslog-ng
+
 	elog "For detailed documentation please see the upstream website:"
 	elog "http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.6-guides/en/syslog-ng-ose-v3.6-guide-admin/html/index.html"