-<?xml version='1.0'?> <!--*- Mode: nxml; nxml-child-indent: 2; indent-tabs-mode: nil -*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY % entities SYSTEM "custom-entities.ent" >
%entities;
]>
-
-<!--
- SPDX-License-Identifier: LGPL-2.1+
-
- This file is part of systemd.
-
- Copyright 2014 Zbigniew Jędrzejewski-Szmek
--->
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="systemd-journal-upload" conditional='HAVE_MICROHTTPD'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>systemd-journal-upload.service</title>
<productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Zbigniew</firstname>
- <surname>Jędrzejewski-Szmek</surname>
- <email>zbyszek@in.waw.pl</email>
- </author>
- </authorgroup>
</refentryinfo>
<refmeta>
Unless limited by one of the options specified below, all journal entries accessible to the user
the program is running as will be uploaded, and then the program will wait and send new entries
as they become available.</para>
+
+ <para><filename>systemd-journal-upload.service</filename> is a system service that uses
+ <command>systemd-journal-upload</command> to upload journal entries to a server. It uses the
+ configuration in
+ <citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ At least the <varname>URL=</varname> option must be specified.</para>
</refsect1>
<refsect1>
<term><option>--key=</option></term>
<listitem><para>
- Takes a path to a SSL key file in PEM format.
+ Takes a path to a SSL key file in PEM format, or <option>-</option>.
+ If <option>-</option> is set, then client certificate authentication checking
+ will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/private/journal-upload.pem</filename>.
</para></listitem>
</varlistentry>
<term><option>--cert=</option></term>
<listitem><para>
- Takes a path to a SSL certificate file in PEM format.
+ Takes a path to a SSL certificate file in PEM format, or <option>-</option>.
+ If <option>-</option> is set, then client certificate authentication checking
+ will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/certs/journal-upload.pem</filename>.
</para></listitem>
</varlistentry>
<term><option>--trust=</option></term>
<listitem><para>
- Takes a path to a SSL CA certificate file in PEM format,
- or <option>all</option>. If <option>all</option> is set,
- then certificate checking will be disabled.
+ Takes a path to a SSL CA certificate file in PEM format, or <option>-</option>/<option>all</option>.
+ If <option>-</option>/<option>all</option> is set, then certificate checking will be disabled.
Defaults to <filename>&CERTIFICATE_ROOT;/ca/trusted.pem</filename>.
</para></listitem>
</varlistentry>
legitimate, and vice versa, that the client is trusted.</para>
<para>A suitable set of certificates can be generated with
- <command>openssl</command>:</para>
+ <command>openssl</command>. Note, 2048 bits of key length
+ is minimally recommended to use for security reasons:</para>
<programlisting>openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
-out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'
SERVER=server
CLIENT=client
-openssl req -newkey rsa:1024 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
+openssl req -newkey rsa:2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem
-openssl req -newkey rsa:1024 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
+openssl req -newkey rsa:2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem
</programlisting>
those files can be specified using
<varname>TrustedCertificateFile=</varname>,
<varname>ServerCertificateFile=</varname>,
- <varname>ServerKeyFile=</varname>, in
+ and <varname>ServerKeyFile=</varname> in
<filename>/etc/systemd/journal-remote.conf</filename> and
<filename>/etc/systemd/journal-upload.conf</filename>,
respectively. The default locations can be queried by using
<refsect1>
<title>See Also</title>
<para>
+ <citerefentry><refentrytitle>journal-upload.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,