1SYSTEMD-JOURNAL-UPLOAD.SEsRyVsItCeEm(d8-)journal-uploadS.YsSeTrEvMiDc-eJOURNAL-UPLOAD.SERVICE(8)
2
3
4
6 systemd-journal-upload.service, systemd-journal-upload - Send journal
7 messages over the network
8
10 systemd-journal-upload.service
11
12 /usr/lib/systemd/systemd-journal-upload [OPTIONS...] [-u/--url=URL]
13 [SOURCES...]
14
16 systemd-journal-upload will upload journal entries to the URL specified
17 with --url=. This program reads journal entries from one or more
18 journal files, similarly to journalctl(1). Unless limited by one of the
19 options specified below, all journal entries accessible to the user the
20 program is running as will be uploaded, and then the program will wait
21 and send new entries as they become available.
22
23 systemd-journal-upload.service is a system service that uses
24 systemd-journal-upload to upload journal entries to a server. It uses
25 the configuration in journal-upload.conf(5). At least the URL= option
26 must be specified.
27
29 -u, --url=[https://]URL[:PORT], --url=[http://]URL[:PORT]
30 Upload to the specified address. URL may specify either just the
31 hostname or both the protocol and hostname. https is the default.
32 The port number may be specified after a colon (":"), otherwise
33 19532 will be used by default.
34
35 --system, --user
36 Limit uploaded entries to entries from system services and the
37 kernel, or to entries from services of current user. This has the
38 same meaning as --system and --user options for journalctl(1). If
39 neither is specified, all accessible entries are uploaded.
40
41 -m, --merge
42 Upload entries interleaved from all available journals, including
43 other machines. This has the same meaning as --merge option for
44 journalctl(1).
45
46 -D, --directory=DIR
47 Takes a directory path as argument. Upload entries from the
48 specified journal directory DIR instead of the default runtime and
49 system journal paths. This has the same meaning as --directory=
50 option for journalctl(1).
51
52 --file=GLOB
53 Takes a file glob as an argument. Upload entries from the specified
54 journal files matching GLOB instead of the default runtime and
55 system journal paths. May be specified multiple times, in which
56 case files will be suitably interleaved. This has the same meaning
57 as --file= option for journalctl(1).
58
59 --cursor=
60 Upload entries from the location in the journal specified by the
61 passed cursor. This has the same meaning as --cursor= option for
62 journalctl(1).
63
64 --after-cursor=
65 Upload entries from the location in the journal after the location
66 specified by the this cursor. This has the same meaning as
67 --after-cursor= option for journalctl(1).
68
69 --save-state[=PATH]
70 Upload entries from the location in the journal after the location
71 specified by the cursor saved in file at PATH
72 (/var/lib/systemd/journal-upload/state by default). After an entry
73 is successfully uploaded, update this file with the cursor of that
74 entry.
75
76 --follow[=BOOL]
77 If set to yes, then systemd-journal-upload waits for input.
78
79 --key=
80 Takes a path to a SSL key file in PEM format, or -. If - is set,
81 then client certificate authentication checking will be disabled.
82 Defaults to /etc/ssl/private/journal-upload.pem.
83
84 --cert=
85 Takes a path to a SSL certificate file in PEM format, or -. If - is
86 set, then client certificate authentication checking will be
87 disabled. Defaults to /etc/ssl/certs/journal-upload.pem.
88
89 --trust=
90 Takes a path to a SSL CA certificate file in PEM format, or -/all.
91 If -/all is set, then certificate checking will be disabled.
92 Defaults to /etc/ssl/ca/trusted.pem.
93
94 -h, --help
95 Print a short help text and exit.
96
97 --version
98 Print a short version string and exit.
99
101 On success, 0 is returned; otherwise, a non-zero failure code is
102 returned.
103
105 Example 1. Setting up certificates for authentication
106
107 Certificates signed by a trusted authority are used to verify that the
108 server to which messages are uploaded is legitimate, and vice versa,
109 that the client is trusted.
110
111 A suitable set of certificates can be generated with openssl. Note,
112 2048 bits of key length is minimally recommended to use for security
113 reasons:
114
115 openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
116 -out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
117
118 cat >ca.conf <<EOF
119 [ ca ]
120 default_ca = this
121
122 [ this ]
123 new_certs_dir = .
124 certificate = ca.pem
125 database = ./index
126 private_key = ca.key
127 serial = ./serial
128 default_days = 3650
129 default_md = default
130 policy = policy_anything
131
132 [ policy_anything ]
133 countryName = optional
134 stateOrProvinceName = optional
135 localityName = optional
136 organizationName = optional
137 organizationalUnitName = optional
138 commonName = supplied
139 emailAddress = optional
140 EOF
141
142 touch index
143 echo 0001 >serial
144
145 SERVER=server
146 CLIENT=client
147
148 openssl req -newkey rsa:2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
149 openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
150
151 openssl req -newkey rsa:2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
152 openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
153
154 Generated files ca.pem, server.pem, and server.key should be installed
155 on server, and ca.pem, client.pem, and client.key on the client. The
156 location of those files can be specified using TrustedCertificateFile=,
157 ServerCertificateFile=, and ServerKeyFile= in
158 /etc/systemd/journal-remote.conf and /etc/systemd/journal-upload.conf,
159 respectively. The default locations can be queried by using
160 systemd-journal-remote --help and systemd-journal-upload --help.
161
163 journal-upload.conf(5), systemd-journal-remote.service(8),
164 journalctl(1), systemd-journald.service(8), systemd-journal-
165 gatewayd.service(8)
166
167
168
169systemd 246 SYSTEMD-JOURNAL-UPLOAD.SERVICE(8)