[thirdparty/systemd.git] / man / systemd-journal-upload.service.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd-journal-upload" conditional='HAVE_MICROHTTPD'
          xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-journal-upload.service</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd-journal-upload.service</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd-journal-upload.service</refname>
    <refname>systemd-journal-upload</refname>
    <refpurpose>Send journal messages over the network</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>systemd-journal-upload.service</filename></para>
    <cmdsynopsis>
      <command>/usr/lib/systemd/systemd-journal-upload</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="opt" rep="norepeat">-u/--url=<replaceable>URL</replaceable></arg>
      <arg choice="opt" rep="repeat">SOURCES</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-journal-upload</command> will upload journal entries to the URL specified
    with <option>--url=</option>. This program reads journal entries from one or more journal files,
    similarly to
    <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
    Unless limited by one of the options specified below, all journal entries accessible to the user
    the program is running as will be uploaded, and then the program will wait and send new entries
    as they become available.</para>
    
    <para><command>systemd-journal-upload</command> transfers the raw content of journal file and
    uses HTTP as a transport protocol.</para> 
    
    <para><filename>systemd-journal-upload.service</filename> is a system service that uses
    <command>systemd-journal-upload</command> to upload journal entries to a server. It uses the
    configuration in
    <citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
    At least the <varname>URL=</varname> option must be specified.</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <variablelist>
      <varlistentry>
        <term><option>-u</option></term>
        <term><option>--url=<optional>https://</optional><replaceable>URL</replaceable>[:<replaceable>PORT</replaceable>]</option></term>
        <term><option>--url=<optional>http://</optional><replaceable>URL</replaceable>[:<replaceable>PORT</replaceable>]</option></term>

        <listitem><para>Upload to the specified
        address. <replaceable>URL</replaceable> may specify either
        just the hostname or both the protocol and
        hostname. <constant>https</constant> is the default.
        The port number may be specified after a colon (<literal>:</literal>),
        otherwise <constant>19532</constant> will be used by default.
        </para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--system</option></term>
        <term><option>--user</option></term>

        <listitem><para>Limit uploaded entries to entries from system
        services and the kernel, or to entries from services of
        current user. This has the same meaning as
        <option>--system</option> and <option>--user</option> options
        for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
        neither is specified, all accessible entries are uploaded.
        </para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-m</option></term>
        <term><option>--merge</option></term>

        <listitem><para>Upload entries interleaved from all available
        journals, including other machines. This has the same meaning
        as <option>--merge</option> option for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--namespace=<replaceable>NAMESPACE</replaceable></option></term>

        <listitem><para>Takes a journal namespace identifier string as argument. Upload
        entries from the specified journal namespace
        <replaceable>NAMESPACE</replaceable> instead of the default namespace. This has the same meaning as
        <option>--namespace=</option> option for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v254"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-D</option></term>
        <term><option>--directory=<replaceable>DIR</replaceable></option></term>

        <listitem><para>Takes a directory path as argument. Upload
        entries from the specified journal directory
        <replaceable>DIR</replaceable> instead of the default runtime
        and system journal paths. This has the same meaning as
        <option>--directory=</option> option for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--file=<replaceable>GLOB</replaceable></option></term>

        <listitem><para>Takes a file glob as an argument. Upload
        entries from the specified journal files matching
        <replaceable>GLOB</replaceable> instead of the default runtime
        and system journal paths. May be specified multiple times, in
        which case files will be suitably interleaved. This has the same meaning as
        <option>--file=</option> option for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--cursor=</option></term>

        <listitem><para>Upload entries from the location in the
        journal specified by the passed cursor. This has the same
        meaning as <option>--cursor=</option> option for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--after-cursor=</option></term>

        <listitem><para>Upload entries from the location in the
        journal <emphasis>after</emphasis> the location specified by
        the this cursor.  This has the same meaning as
        <option>--after-cursor=</option> option for
        <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
        </para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--save-state</option><optional>=<replaceable>PATH</replaceable></optional></term>

        <listitem><para>Upload entries from the location in the
        journal <emphasis>after</emphasis> the location specified by
        the cursor saved in file at <replaceable>PATH</replaceable>
        (<filename>/var/lib/systemd/journal-upload/state</filename> by default).
        After an entry is successfully uploaded, update this file
        with the cursor of that entry.
        </para>

        <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--follow</option><optional>=<replaceable>BOOL</replaceable></optional></term>

        <listitem><para>
          If set to yes, then <command>systemd-journal-upload</command> waits for input.
        </para>

          <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--key=</option></term>

        <listitem><para>
          Takes a path to a SSL key file in PEM format, or <option>-</option>.
          If <option>-</option> is set, then client certificate authentication checking
          will be disabled.
          Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
        </para>

          <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--cert=</option></term>

        <listitem><para>
          Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
          If <option>-</option> is set, then client certificate authentication checking
          will be disabled.
          Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
        </para>

          <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--trust=</option></term>

        <listitem><para>
          Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
          If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
          Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
        </para>

          <xi:include href="version-info.xml" xpointer="v239"/></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned; otherwise, a non-zero
    failure code is returned.</para>
  </refsect1>

  <refsect1>
    <title>Examples</title>
    <example>
      <title>Setting up certificates for authentication</title>

      <para>Certificates signed by a trusted authority are used to
      verify that the server to which messages are uploaded is
      legitimate, and vice versa, that the client is trusted.</para>

      <para>A suitable set of certificates can be generated with
      <command>openssl</command>. Note, 2048 bits of key length
      is minimally recommended to use for security reasons:</para>

      <programlisting>openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
      -out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'

cat &gt;ca.conf &lt;&lt;EOF
[ ca ]
default_ca = this

[ this ]
new_certs_dir = .
certificate = ca.pem
database = ./index
private_key = ca.key
serial = ./serial
default_days = 3650
default_md = default
policy = policy_anything

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
EOF

touch index
echo 0001 &gt;serial

SERVER=server
CLIENT=client

openssl req -newkey rsa:2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem

openssl req -newkey rsa:2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
</programlisting>

      <para>Generated files <filename>ca.pem</filename>,
      <filename>server.pem</filename>, and
      <filename>server.key</filename> should be installed on server,
      and <filename>ca.pem</filename>,
      <filename>client.pem</filename>, and
      <filename>client.key</filename> on the client. The location of
      those files can be specified using
      <varname>TrustedCertificateFile=</varname>,
      <varname>ServerCertificateFile=</varname>,
      and <varname>ServerKeyFile=</varname> in
      <filename>/etc/systemd/journal-remote.conf</filename> and
      <filename>/etc/systemd/journal-upload.conf</filename>,
      respectively. The default locations can be queried by using
      <command>systemd-journal-remote --help</command> and
      <command>systemd-journal-upload --help</command>.</para>
    </example>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
      <member><citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
      <member><citerefentry><refentrytitle>systemd-journal-gatewayd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
    </simplelist></para>
  </refsect1>
</refentry>
Commit	Line	Data
514094f9	1	<?xml version='1.0'?>
3a54a157	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
3db93b3f YW	4	<!ENTITY % entities SYSTEM "custom-entities.ent" >
	5	%entities;
	6	]>
db9ecf05	7	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
330427e2 ZJS	8
	9	<refentry id="systemd-journal-upload" conditional='HAVE_MICROHTTPD'
	10	xmlns:xi="http://www.w3.org/2001/XInclude">
	11
	12	<refentryinfo>
1f416853	13	<title>systemd-journal-upload.service</title>
330427e2	14	<productname>systemd</productname>
330427e2 ZJS	15	</refentryinfo>
	16
	17	<refmeta>
1f416853	18	<refentrytitle>systemd-journal-upload.service</refentrytitle>
330427e2 ZJS	19	<manvolnum>8</manvolnum>
	20	</refmeta>
	21
	22	<refnamediv>
1f416853	23	<refname>systemd-journal-upload.service</refname>
330427e2 ZJS	24	<refname>systemd-journal-upload</refname>
	25	<refpurpose>Send journal messages over the network</refpurpose>
	26	</refnamediv>
	27
	28	<refsynopsisdiv>
1f416853	29	<para><filename>systemd-journal-upload.service</filename></para>
330427e2	30	<cmdsynopsis>
1f416853	31	<command>/usr/lib/systemd/systemd-journal-upload</command>
330427e2 ZJS	32	<arg choice="opt" rep="repeat">OPTIONS</arg>
	33	<arg choice="opt" rep="norepeat">-u/--url=<replaceable>URL</replaceable></arg>
	34	<arg choice="opt" rep="repeat">SOURCES</arg>
	35	</cmdsynopsis>
	36	</refsynopsisdiv>
	37
	38	<refsect1>
	39	<title>Description</title>
	40
c643653e	41	<para><command>systemd-journal-upload</command> will upload journal entries to the URL specified
492cb509	42	with <option>--url=</option>. This program reads journal entries from one or more journal files,
c643653e ZJS	43	similarly to
	44	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
	45	Unless limited by one of the options specified below, all journal entries accessible to the user
	46	the program is running as will be uploaded, and then the program will wait and send new entries
	47	as they become available.</para>
68174bf0 FC	48
	49	<para><command>systemd-journal-upload</command> transfers the raw content of journal file and
	50	uses HTTP as a transport protocol.</para>
	51
0b063391 ZJS	52	<para><filename>systemd-journal-upload.service</filename> is a system service that uses
	53	<command>systemd-journal-upload</command> to upload journal entries to a server. It uses the
	54	configuration in
	55	<citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
	56	At least the <varname>URL=</varname> option must be specified.</para>
330427e2 ZJS	57	</refsect1>
	58
	59	<refsect1>
	60	<title>Options</title>
	61
	62	<variablelist>
	63	<varlistentry>
	64	<term><option>-u</option></term>
767f565f YW	65	<term><option>--url=<optional>https://</optional><replaceable>URL</replaceable>[:<replaceable>PORT</replaceable>]</option></term>
767f565f YW	66	<term><option>--url=<optional>http://</optional><replaceable>URL</replaceable>[:<replaceable>PORT</replaceable>]</option></term>
330427e2 ZJS	67
	68	<listitem><para>Upload to the specified
	69	address. <replaceable>URL</replaceable> may specify either
	70	just the hostname or both the protocol and
	71	hostname. <constant>https</constant> is the default.
767f565f YW	72	The port number may be specified after a colon (<literal>:</literal>),
767f565f YW	73	otherwise <constant>19532</constant> will be used by default.
ec07c3c8 AK	74	</para>
	75
	76	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	77	</varlistentry>
	78
	79	<varlistentry>
	80	<term><option>--system</option></term>
	81	<term><option>--user</option></term>
	82
	83	<listitem><para>Limit uploaded entries to entries from system
	84	services and the kernel, or to entries from services of
	85	current user. This has the same meaning as
	86	<option>--system</option> and <option>--user</option> options
	87	for
	88	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
	89	neither is specified, all accessible entries are uploaded.
ec07c3c8 AK	90	</para>
	91
	92	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	93	</varlistentry>
	94
	95	<varlistentry>
	96	<term><option>-m</option></term>
	97	<term><option>--merge</option></term>
	98
	99	<listitem><para>Upload entries interleaved from all available
	100	journals, including other machines. This has the same meaning
	101	as <option>--merge</option> option for
ec07c3c8 AK	102	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
	103
	104	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	105	</varlistentry>
330427e2 ZJS	106
9f6e0bd4 IT	107	<varlistentry>
	108	<term><option>--namespace=<replaceable>NAMESPACE</replaceable></option></term>
	109
	110	<listitem><para>Takes a journal namespace identifier string as argument. Upload
	111	entries from the specified journal namespace
	112	<replaceable>NAMESPACE</replaceable> instead of the default namespace. This has the same meaning as
	113	<option>--namespace=</option> option for
	114	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
ec07c3c8 AK	115	</para>
	116
	117	<xi:include href="version-info.xml" xpointer="v254"/></listitem>
9f6e0bd4 IT	118	</varlistentry>
9f6e0bd4 IT	119
330427e2 ZJS	120	<varlistentry>
	121	<term><option>-D</option></term>
	122	<term><option>--directory=<replaceable>DIR</replaceable></option></term>
	123
	124	<listitem><para>Takes a directory path as argument. Upload
	125	entries from the specified journal directory
	126	<replaceable>DIR</replaceable> instead of the default runtime
	127	and system journal paths. This has the same meaning as
492cb509	128	<option>--directory=</option> option for
330427e2	129	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
ec07c3c8 AK	130	</para>
	131
	132	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	133	</varlistentry>
	134
	135	<varlistentry>
	136	<term><option>--file=<replaceable>GLOB</replaceable></option></term>
	137
	138	<listitem><para>Takes a file glob as an argument. Upload
	139	entries from the specified journal files matching
	140	<replaceable>GLOB</replaceable> instead of the default runtime
	141	and system journal paths. May be specified multiple times, in
	142	which case files will be suitably interleaved. This has the same meaning as
492cb509	143	<option>--file=</option> option for
330427e2	144	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
ec07c3c8 AK	145	</para>
	146
	147	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	148	</varlistentry>
	149
	150	<varlistentry>
	151	<term><option>--cursor=</option></term>
	152
	153	<listitem><para>Upload entries from the location in the
	154	journal specified by the passed cursor. This has the same
492cb509	155	meaning as <option>--cursor=</option> option for
ec07c3c8 AK	156	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
	157
	158	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	159	</varlistentry>
	160
	161	<varlistentry>
	162	<term><option>--after-cursor=</option></term>
	163
	164	<listitem><para>Upload entries from the location in the
	165	journal <emphasis>after</emphasis> the location specified by
	166	the this cursor. This has the same meaning as
492cb509	167	<option>--after-cursor=</option> option for
330427e2	168	<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
ec07c3c8 AK	169	</para>
	170
	171	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	172	</varlistentry>
330427e2 ZJS	173
330427e2 ZJS	174	<varlistentry>
	175	<term><option>--save-state</option><optional>=<replaceable>PATH</replaceable></optional></term>
	176
	177	<listitem><para>Upload entries from the location in the
	178	journal <emphasis>after</emphasis> the location specified by
	179	the cursor saved in file at <replaceable>PATH</replaceable>
	180	(<filename>/var/lib/systemd/journal-upload/state</filename> by default).
	181	After an entry is successfully uploaded, update this file
	182	with the cursor of that entry.
ec07c3c8 AK	183	</para>
	184
	185	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
330427e2 ZJS	186	</varlistentry>
330427e2 ZJS	187
3db93b3f YW	188	<varlistentry>
	189	<term><option>--follow</option><optional>=<replaceable>BOOL</replaceable></optional></term>
	190
	191	<listitem><para>
	192	If set to yes, then <command>systemd-journal-upload</command> waits for input.
ec07c3c8 AK	193	</para>
	194
	195	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
3db93b3f YW	196	</varlistentry>
	197
	198	<varlistentry>
	199	<term><option>--key=</option></term>
	200
	201	<listitem><para>
3dadb54f CH	202	Takes a path to a SSL key file in PEM format, or <option>-</option>.
	203	If <option>-</option> is set, then client certificate authentication checking
	204	will be disabled.
3db93b3f	205	Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
ec07c3c8 AK	206	</para>
	207
	208	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
3db93b3f YW	209	</varlistentry>
	210
	211	<varlistentry>
	212	<term><option>--cert=</option></term>
	213
	214	<listitem><para>
3dadb54f CH	215	Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
	216	If <option>-</option> is set, then client certificate authentication checking
	217	will be disabled.
3db93b3f	218	Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
ec07c3c8 AK	219	</para>
	220
	221	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
3db93b3f YW	222	</varlistentry>
	223
	224	<varlistentry>
	225	<term><option>--trust=</option></term>
	226
	227	<listitem><para>
3dadb54f CH	228	Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
3dadb54f CH	229	If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
3db93b3f	230	Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
ec07c3c8 AK	231	</para>
	232
	233	<xi:include href="version-info.xml" xpointer="v239"/></listitem>
3db93b3f YW	234	</varlistentry>
3db93b3f YW	235
330427e2 ZJS	236	<xi:include href="standard-options.xml" xpointer="help" />
	237	<xi:include href="standard-options.xml" xpointer="version" />
	238	</variablelist>
	239	</refsect1>
	240
	241	<refsect1>
	242	<title>Exit status</title>
	243
	244	<para>On success, 0 is returned; otherwise, a non-zero
	245	failure code is returned.</para>
	246	</refsect1>
	247
99a1ab10 ZJS	248	<refsect1>
	249	<title>Examples</title>
	250	<example>
	251	<title>Setting up certificates for authentication</title>
	252
	253	<para>Certificates signed by a trusted authority are used to
	254	verify that the server to which messages are uploaded is
	255	legitimate, and vice versa, that the client is trusted.</para>
	256
	257	<para>A suitable set of certificates can be generated with
b5340a29	258	<command>openssl</command>. Note, 2048 bits of key length
32f511ec	259	is minimally recommended to use for security reasons:</para>
99a1ab10 ZJS	260
	261	<programlisting>openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
	262	-out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
	263
b938cb90	264	cat >ca.conf <<EOF
99a1ab10 ZJS	265	[ ca ]
	266	default_ca = this
	267
	268	[ this ]
	269	new_certs_dir = .
	270	certificate = ca.pem
	271	database = ./index
	272	private_key = ca.key
	273	serial = ./serial
	274	default_days = 3650
	275	default_md = default
	276	policy = policy_anything
	277
	278	[ policy_anything ]
	279	countryName = optional
	280	stateOrProvinceName = optional
	281	localityName = optional
	282	organizationName = optional
	283	organizationalUnitName = optional
	284	commonName = supplied
	285	emailAddress = optional
	286	EOF
	287
	288	touch index
b938cb90	289	echo 0001 >serial
99a1ab10 ZJS	290
	291	SERVER=server
	292	CLIENT=client
	293
562b65ca	294	openssl req -newkey rsa:2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
99a1ab10 ZJS	295	openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
99a1ab10 ZJS	296
562b65ca	297	openssl req -newkey rsa:2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
99a1ab10 ZJS	298	openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
	299	</programlisting>
	300
	301	<para>Generated files <filename>ca.pem</filename>,
	302	<filename>server.pem</filename>, and
	303	<filename>server.key</filename> should be installed on server,
	304	and <filename>ca.pem</filename>,
	305	<filename>client.pem</filename>, and
	306	<filename>client.key</filename> on the client. The location of
	307	those files can be specified using
	308	<varname>TrustedCertificateFile=</varname>,
	309	<varname>ServerCertificateFile=</varname>,
e9dd6984	310	and <varname>ServerKeyFile=</varname> in
12b42c76	311	<filename>/etc/systemd/journal-remote.conf</filename> and
b938cb90	312	<filename>/etc/systemd/journal-upload.conf</filename>,
99a1ab10 ZJS	313	respectively. The default locations can be queried by using
	314	<command>systemd-journal-remote --help</command> and
	315	<command>systemd-journal-upload --help</command>.</para>
	316	</example>
	317	</refsect1>
	318
330427e2 ZJS	319	<refsect1>
330427e2 ZJS	320	<title>See Also</title>
13a69c12 DT	321	<para><simplelist type="inline">
	322	<member><citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
	323	<member><citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	324	<member><citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	325	<member><citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	326	<member><citerefentry><refentrytitle>systemd-journal-gatewayd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
	327	</simplelist></para>
330427e2 ZJS	328	</refsect1>
330427e2 ZJS	329	</refentry>