systemd-journal-remote.service, systemd-journal-remote.socket, systemd-journal-remote — Receive journal messages over the network
systemd-journal-remote.service
systemd-journal-remote.socket
/usr/lib/systemd/systemd-journal-remote
[OPTIONS...] [-o/--output=DIR
|FILE
] [SOURCES...]
systemd-journal-remote is a command to receive serialized journal events and store them to journal files. Input streams are in the Journal Export Format, i.e. like the output from journalctl --output=export. For transport over the network, this serialized stream is usually carried over an HTTPS connection.
systemd-journal-remote.service
is a system service that uses
systemd-journal-remote to listen for connections.
systemd-journal-remote.socket
configures the network address that
systemd-journal-remote.service
listens on. By default this is port 19532.
What connections are accepted and how the received data is stored can be configured through the
journal-remote.conf(5)
configuration file.
Sources can be either "active" (systemd-journal-remote requests and pulls the data), or "passive" (systemd-journal-remote waits for a connection and then receives events pushed by the other side).
systemd-journal-remote can read more than one event stream at a time. They will be interleaved in the output file. In case of "active" connections, each "source" is one stream, and in case of "passive" connections, each connection can result in a separate stream. Sockets can be configured in "accept" mode (i.e. only one connection), or "listen" mode (i.e. multiple connections, each resulting in a stream).
When there are no more connections, and no more can be created (there are no listening sockets), then systemd-journal-remote will exit.
Active sources can be specified in the following ways:
When -
is given as a
positional argument, events will be read from standard input.
Other positional arguments will be treated as filenames
to open and read from.
--url=ADDRESS
¶With the
--url=
option,
events will be retrieved using HTTP from
ADDRESS
ADDRESS
. This URL should refer to the
root of a remote
systemd-journal-gatewayd(8)
instance, e.g. http://some.host:19531/ or
https://some.host:19531/.
--getter='PROG
[OPTIONS...]'
¶Program to invoke to retrieve data. The journal event stream must be generated on standard output.
Examples:
--getter='curl "-HAccept: application/vnd.fdo.journal" https://some.host:19531/'
--getter='wget --header="Accept: application/vnd.fdo.journal" -O- https://some.host:19531/'
Passive sources can be specified in the following ways:
--listen-raw=ADDRESS
¶ADDRESS
must be an
address suitable for ListenStream=
(cf.
systemd.socket(5)).
systemd-journal-remote will listen on this
socket for connections. Each connection is expected to be a
stream of journal events.
--listen-http=ADDRESS
, --listen-https=ADDRESS
¶ADDRESS
must be
either a negative integer, in which case it will be
interpreted as the (negated) file descriptor number, or an
address suitable for ListenStream=
(c.f.
systemd.socket(5)).
In the first case, the server listens on port 19532 by default,
and the matching file descriptor must be inherited through
$LISTEN_FDS
/$LISTEN_PID
.
In the second case, an HTTP or HTTPS server will be spawned on
this port, respectively for --listen-http=
and
--listen-https=
. Currently, only POST requests
to /upload
with "Content-Type:
application/vnd.fdo.journal
" are supported.
$LISTEN_FDS
¶systemd-journal-remote
supports the
$LISTEN_FDS
/$LISTEN_PID
protocol. Open sockets inherited through socket activation
behave like those opened with --listen-raw=
described above, unless they are specified as an argument in
--listen-http=-
or
n
--listen-https=-
above. In the latter case, an HTTP or HTTPS server will be
spawned using this descriptor and connections must be made
over the HTTP protocol.n
--key=
¶
Takes a path to a SSL key file in PEM format.
Defaults to /etc/ssl/private/journal-remote.pem
.
This option can be used with --listen-https=
.
--cert=
¶
Takes a path to a SSL certificate file in PEM format.
Defaults to /etc/ssl/certs/journal-remote.pem
.
This option can be used with --listen-https=
.
--trust=
¶
Takes a path to a SSL CA certificate file in PEM format,
or all
. If all
is set,
then certificate checking will be disabled.
Defaults to /etc/ssl/ca/trusted.pem
.
This option can be used with --listen-https=
.
--gnutls-log=
¶
Takes a comma separated list of gnutls logging categories.
This option can be used with --listen-http=
or
--listen-https=
.
The location of the output journal can be specified
with -o
or --output=
.
--output=FILE
¶Will write to this journal file. The filename
must end with .journal
. The file will be
created if it does not exist. If necessary (journal file full,
or corrupted), the file will be renamed following normal
journald rules and a new journal file will be created in its
stead.
--output=DIR
¶Will create journal files underneath directory
DIR
. The directory must exist. If
necessary (journal files over size, or corrupted), journal
files will be rotated following normal journald rules. Names
of files underneath DIR
will be
generated using the rules described below.
If --output=
is not used, the output
directory /var/log/journal/remote/
will be
used. In case the output file is not specified, journal files
will be created underneath the selected directory. Files will be
called
remote-
,
where the hostname
.journalhostname
part is the
escaped hostname of the source endpoint of the connection, or the
numerical address if the hostname cannot be determined.
In the case that "active" sources are given by the positional
arguments or --getter=
option, the output file name
must always be given explicitly.
The following options are understood:
--split-mode
¶One of none
or
host
. For the first, only one output
journal file is used. For the latter, a separate output file
is used, based on the hostname of the other endpoint of a
connection.
In the case that "active" sources are given by the positional
arguments or --getter=
option, the output file name must
always be given explicitly and only none
is allowed.
--compress
[BOOL
]¶If this is set to "yes
" then compress
the data in the journal using XZ. The default is "yes
".
--seal
[BOOL
]¶If this is set to "yes
" then
periodically sign the data in the journal using Forward Secure Sealing.
The default is "no
".
-h
, --help
¶--version
¶Copy local journal events to a different journal directory:
journalctl -o export | systemd-journal-remote -o /tmp/dir/foo.journal -
Retrieve all available events from a remote
systemd-journal-gatewayd(8)
instance and store them in
/var/log/journal/remote/remote-some.host.journal
:
systemd-journal-remote --url http://some.host:19531/
Retrieve current boot events and wait for new events from a remote
systemd-journal-gatewayd(8)
instance, and store them in
/var/log/journal/remote/remote-some.host.journal
:
systemd-journal-remote --url http://some.host:19531/entries?boot&follow