2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
4 <!ENTITY % entities SYSTEM
"custom-entities.ent" >
7 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
9 <refentry id=
"systemd-journal-upload" conditional='HAVE_MICROHTTPD'
10 xmlns:
xi=
"http://www.w3.org/2001/XInclude">
13 <title>systemd-journal-upload.service
</title>
14 <productname>systemd
</productname>
18 <refentrytitle>systemd-journal-upload.service
</refentrytitle>
19 <manvolnum>8</manvolnum>
23 <refname>systemd-journal-upload.service
</refname>
24 <refname>systemd-journal-upload
</refname>
25 <refpurpose>Send journal messages over the network
</refpurpose>
29 <para><filename>systemd-journal-upload.service
</filename></para>
31 <command>/usr/lib/systemd/systemd-journal-upload
</command>
32 <arg choice=
"opt" rep=
"repeat">OPTIONS
</arg>
33 <arg choice=
"opt" rep=
"norepeat">-u/--url=
<replaceable>URL
</replaceable></arg>
34 <arg choice=
"opt" rep=
"repeat">SOURCES
</arg>
39 <title>Description
</title>
41 <para><command>systemd-journal-upload
</command> will upload journal entries to the URL specified
42 with
<option>--url=
</option>. This program reads journal entries from one or more journal files,
44 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
45 Unless limited by one of the options specified below, all journal entries accessible to the user
46 the program is running as will be uploaded, and then the program will wait and send new entries
47 as they become available.
</para>
49 <para><filename>systemd-journal-upload.service
</filename> is a system service that uses
50 <command>systemd-journal-upload
</command> to upload journal entries to a server. It uses the
52 <citerefentry><refentrytitle>journal-upload.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
53 At least the
<varname>URL=
</varname> option must be specified.
</para>
57 <title>Options
</title>
61 <term><option>-u
</option></term>
62 <term><option>--url=
<optional>https://
</optional><replaceable>URL
</replaceable>[:
<replaceable>PORT
</replaceable>]
</option></term>
63 <term><option>--url=
<optional>http://
</optional><replaceable>URL
</replaceable>[:
<replaceable>PORT
</replaceable>]
</option></term>
65 <listitem><para>Upload to the specified
66 address.
<replaceable>URL
</replaceable> may specify either
67 just the hostname or both the protocol and
68 hostname.
<constant>https
</constant> is the default.
69 The port number may be specified after a colon (
<literal>:
</literal>),
70 otherwise
<constant>19532</constant> will be used by default.
75 <term><option>--system
</option></term>
76 <term><option>--user
</option></term>
78 <listitem><para>Limit uploaded entries to entries from system
79 services and the kernel, or to entries from services of
80 current user. This has the same meaning as
81 <option>--system
</option> and
<option>--user
</option> options
83 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>. If
84 neither is specified, all accessible entries are uploaded.
89 <term><option>-m
</option></term>
90 <term><option>--merge
</option></term>
92 <listitem><para>Upload entries interleaved from all available
93 journals, including other machines. This has the same meaning
94 as
<option>--merge
</option> option for
95 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para></listitem>
99 <term><option>-D
</option></term>
100 <term><option>--directory=
<replaceable>DIR
</replaceable></option></term>
102 <listitem><para>Takes a directory path as argument. Upload
103 entries from the specified journal directory
104 <replaceable>DIR
</replaceable> instead of the default runtime
105 and system journal paths. This has the same meaning as
106 <option>--directory=
</option> option for
107 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
112 <term><option>--file=
<replaceable>GLOB
</replaceable></option></term>
114 <listitem><para>Takes a file glob as an argument. Upload
115 entries from the specified journal files matching
116 <replaceable>GLOB
</replaceable> instead of the default runtime
117 and system journal paths. May be specified multiple times, in
118 which case files will be suitably interleaved. This has the same meaning as
119 <option>--file=
</option> option for
120 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
125 <term><option>--cursor=
</option></term>
127 <listitem><para>Upload entries from the location in the
128 journal specified by the passed cursor. This has the same
129 meaning as
<option>--cursor=
</option> option for
130 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
</para></listitem>
134 <term><option>--after-cursor=
</option></term>
136 <listitem><para>Upload entries from the location in the
137 journal
<emphasis>after
</emphasis> the location specified by
138 the this cursor. This has the same meaning as
139 <option>--after-cursor=
</option> option for
140 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>.
145 <term><option>--save-state
</option><optional>=
<replaceable>PATH
</replaceable></optional></term>
147 <listitem><para>Upload entries from the location in the
148 journal
<emphasis>after
</emphasis> the location specified by
149 the cursor saved in file at
<replaceable>PATH
</replaceable>
150 (
<filename>/var/lib/systemd/journal-upload/state
</filename> by default).
151 After an entry is successfully uploaded, update this file
152 with the cursor of that entry.
157 <term><option>--follow
</option><optional>=
<replaceable>BOOL
</replaceable></optional></term>
160 If set to yes, then
<command>systemd-journal-upload
</command> waits for input.
165 <term><option>--key=
</option></term>
168 Takes a path to a SSL key file in PEM format.
169 Defaults to
<filename>&CERTIFICATE_ROOT;/private/journal-upload.pem
</filename>.
174 <term><option>--cert=
</option></term>
177 Takes a path to a SSL certificate file in PEM format.
178 Defaults to
<filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem
</filename>.
183 <term><option>--trust=
</option></term>
186 Takes a path to a SSL CA certificate file in PEM format,
187 or
<option>all
</option>. If
<option>all
</option> is set,
188 then certificate checking will be disabled.
189 Defaults to
<filename>&CERTIFICATE_ROOT;/ca/trusted.pem
</filename>.
193 <xi:include href=
"standard-options.xml" xpointer=
"help" />
194 <xi:include href=
"standard-options.xml" xpointer=
"version" />
199 <title>Exit status
</title>
201 <para>On success,
0 is returned; otherwise, a non-zero
202 failure code is returned.
</para>
206 <title>Examples
</title>
208 <title>Setting up certificates for authentication
</title>
210 <para>Certificates signed by a trusted authority are used to
211 verify that the server to which messages are uploaded is
212 legitimate, and vice versa, that the client is trusted.
</para>
214 <para>A suitable set of certificates can be generated with
215 <command>openssl
</command>. Note,
2048 bits of key length
216 is minimally recommended to use for security reasons:
</para>
218 <programlisting>openssl req -newkey rsa:
2048 -days
3650 -x509 -nodes \
219 -out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
221 cat
>ca.conf
<<EOF
233 policy = policy_anything
236 countryName = optional
237 stateOrProvinceName = optional
238 localityName = optional
239 organizationName = optional
240 organizationalUnitName = optional
241 commonName = supplied
242 emailAddress = optional
251 openssl req -newkey rsa:
2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj
"/CN=$SERVER/"
252 openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
254 openssl req -newkey rsa:
2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj
"/CN=$CLIENT/"
255 openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
258 <para>Generated files
<filename>ca.pem
</filename>,
259 <filename>server.pem
</filename>, and
260 <filename>server.key
</filename> should be installed on server,
261 and
<filename>ca.pem
</filename>,
262 <filename>client.pem
</filename>, and
263 <filename>client.key
</filename> on the client. The location of
264 those files can be specified using
265 <varname>TrustedCertificateFile=
</varname>,
266 <varname>ServerCertificateFile=
</varname>,
267 <varname>ServerKeyFile=
</varname>, in
268 <filename>/etc/systemd/journal-remote.conf
</filename> and
269 <filename>/etc/systemd/journal-upload.conf
</filename>,
270 respectively. The default locations can be queried by using
271 <command>systemd-journal-remote --help
</command> and
272 <command>systemd-journal-upload --help
</command>.
</para>
277 <title>See Also
</title>
279 <citerefentry><refentrytitle>journal-upload.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
280 <citerefentry><refentrytitle>systemd-journal-remote.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
281 <citerefentry><refentrytitle>journalctl
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
282 <citerefentry><refentrytitle>systemd-journald.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
283 <citerefentry><refentrytitle>systemd-journal-gatewayd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>