units/systemd-journal-remote.service.in

   1 #  SPDX-License-Identifier: LGPL-2.1+
   2 #
   3 #  This file is part of systemd.
   4 #
   5 #  systemd is free software; you can redistribute it and/or modify it
   6 #  under the terms of the GNU Lesser General Public License as published by
   7 #  the Free Software Foundation; either version 2.1 of the License, or
   8 #  (at your option) any later version.
   9
  10 [Unit]
  11 Description=Journal Remote Sink Service
  12 Documentation=man:systemd-journal-remote(8) man:journal-remote.conf(5)
  13 Requires=systemd-journal-remote.socket
  14
  15 [Service]
  16 ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/
  17 LockPersonality=yes
  18 LogsDirectory=journal/remote
  19 MemoryDenyWriteExecute=yes
  20 NoNewPrivileges=yes
  21 PrivateDevices=yes
  22 PrivateNetwork=yes
  23 PrivateTmp=yes
  24 ProtectClock=yes
  25 ProtectControlGroups=yes
  26 ProtectHome=yes
  27 ProtectHostname=yes
  28 ProtectKernelModules=yes
  29 ProtectKernelTunables=yes
  30 ProtectKernelLogs=yes
  31 ProtectSystem=strict
  32 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
  33 RestrictNamespaces=yes
  34 RestrictRealtime=yes
  35 RestrictSUIDSGID=yes
  36 SystemCallArchitectures=native
  37 User=systemd-journal-remote
  38 @SERVICE_WATCHDOG@
  39
  40 # If there are many split up journal files we need a lot of fds to access them
  41 # all in parallel.
  42 LimitNOFILE=@HIGH_RLIMIT_NOFILE@
  43
  44 [Install]
  45 Also=systemd-journal-remote.socket