File: README.md

package info (click to toggle)
systemd-netlogd 1.4.5-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 1,148 kB
  • sloc: ansic: 14,070; makefile: 29; python: 20; sh: 13
file content (265 lines) | stat: -rw-r--r-- 6,616 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
 
# systemd-netlogd 🚀

[![Build Status](https://github.com/systemd/systemd-netlogd/actions/workflows/ci.yml/badge.svg)](https://github.com/systemd/systemd-netlogd/actions)

**`systemd-netlogd`** is a **lightweight, battle-tested daemon** that **forwards systemd journal logs to remote hosts** over the network using the **Syslog protocol (RFC 5424 & RFC 3339)**.  
It supports **unicast** and **multicast**, with **zero disk buffering** — perfect for **edge devices, servers, and cloud fleets**.

---

## Overview ✨

### Key Features 🔥
| Feature | Description |
|--------|-------------|
| **Network-Aware** | Auto-starts when network is up, pauses when down (`sd-network` integration) |
| **Zero Buffering** | Reads journal **sequentially**, forwards **one-by-one** — no disk, no bloat |
| **Full Protocol Support** | `UDP`, `TCP`, **TLS**, **DTLS** (RFC 6012) |
| **Flexible Formatting** | **RFC 5424** (default), **RFC 3339**, length-prefixed for TLS |
| **Security First** | TLS cert validation, keepalives, sensitive log filtering |
| **Namespace Aware** | Target specific journals or aggregate all |
| **Isolated Execution** | Runs as `systemd-journal-netlog` system user |

> **Ideal for**: Centralized logging without local storage impact

---

## Installation 🛠️

### Prerequisites
Requires **systemd v255+** for full features.

#### Debian / Ubuntu
```bash
sudo apt update
sudo apt install build-essential gperf libcap-dev libsystemd-dev pkg-config meson python3-sphinx
```

#### CentOS / RHEL / Fedora
```bash
sudo dnf group install 'Development Tools'
sudo dnf install gperf libcap-devel pkg-config systemd-devel meson python3-sphinx
```

---

### Build from Source
```bash
git clone https://github.com/systemd/systemd-netlogd.git
cd systemd-netlogd
meson setup build
meson compile -C build
sudo meson install -C build
```

> *Tip*: Prefer `meson`. `make` still works but is legacy.

---

### Create System User (Required)
#### Option 1: Sysusers (Recommended)
```bash
# Copy provided file or create:
sudo tee /etc/sysusers.d/systemd-netlogd.conf > /dev/null <<EOF
u systemd-journal-netlog - - / /bin/nologin
EOF
sudo systemd-sysusers
```

#### Option 2: Manual
```bash
sudo useradd -r -d / -s /usr/sbin/nologin -g systemd-journal systemd-journal-netlog
```

---

### Package Managers
| Distro | Command |
|-------|--------|
| **Ubuntu** (Plucky+, Quokka+, Raccoon+) | `sudo apt install systemd-netlogd` |
| **Fedora** | Search COPR: `systemd-netlogd` |
| **Arch Linux** | AUR: `systemd-netlogd-git` |

---

## Running the Service

```bash
sudo systemctl daemon-reload
sudo systemctl enable --now systemd-netlogd.service
```

Check logs:
```bash
journalctl -u systemd-netlogd.service -f
```

Manual test:
```bash
SYSTEMD_LOG_LEVEL=debug /usr/lib/systemd-netlogd 
```

---

## Configuration

Config: `/etc/systemd/netlogd.conf`  
Drop-ins: `/etc/systemd/netlogd.conf.d/*.conf` (INI format)

Reload: `sudo systemctl reload systemd-netlogd.service`

### `[Network]` Options

| Option | Description | Default | Example |
|-------|-------------|--------|--------|
| `Address=` | Destination (IP:port or multicast) | **Required** | `239.0.0.1:6000` |
| `Protocol=` | `udp` \| `tcp` \| `tls` \| `dtls` | `udp` | `tls` |
| `LogFormat=` | `rfc5424` \| `rfc3339` | `rfc5424` | `rfc3339` |
| `Directory=` | Custom journal path | System default | `/var/log/journal` |
| `Namespace=` | `*`, `+id`, or `id` | Default | `*` |
| `ConnectionRetrySec=` | Retry delay | `30s` | `1min` |
| `TLSCertificateAuthMode=` | `deny` \| `warn` \| `allow` \| `no` | `deny` | `warn` |
| `TLSServerCertificate=` | CA/server PEM path | None | `/etc/ssl/ca.pem` |
| `KeepAlive=` | TCP keepalive | `false` | `true` |
| `NoDelay=` | Disable Nagle (low latency) | `false` | `true` |
| `StructuredData=` | Custom SD-ID | None | `[app@12345]` |
| `UseSysLogStructuredData=` | Extract from journal | `false` | `yes` |
| `UseSysLogMsgId=` | Extract MSGID | `false` | `yes` |
| `ExcludeSyslogFacility=` | Skip facilities | None | `auth authpriv` |
| `ExcludeSyslogLevel=` | Skip levels | None | `debug info` |

---

## Configuration Examples

### 1. UDP Multicast
```ini
[Network]
Address=239.0.0.1:6000
# Protocol=udp (default)
```

### 2. Unicast + RFC 3339
```ini
[Network]
Address=192.168.1.100:514
LogFormat=rfc3339
```

### 3. Cloud-Ready RFC 5424
```ini
[Network]
Address=logs.papertrailapp.com:12345
LogFormat=rfc5424
StructuredData=[1ab456b6-90bb-6578-abcd-5b734584aaaa@41058]
```

### 4. Extract Journal Metadata
```ini
[Network]
Address=192.168.1.100:514
LogFormat=rfc5424
UseSysLogStructuredData=yes
UseSysLogMsgId=yes
```

### 5. Filter Sensitive Logs
```ini
[Network]
Address=192.168.1.100:514
ExcludeSyslogFacility=auth authpriv
ExcludeSyslogLevel=debug
```

### 6. Secure TLS (Recommended)
```ini
[Network]
Address=secure-logger.example.com:6514
Protocol=tls
LogFormat=rfc5424
TLSCertificateAuthMode=deny
TLSServerCertificate=/etc/ssl/ca-bundle.pem
KeepAlive=true
NoDelay=true
```

### 7. DTLS (UDP + Encryption)
```ini
[Network]
Address=192.168.1.100:4433
Protocol=dtls
TLSCertificateAuthMode=allow
```

---

## Tag Journal Entries (C Example)

```c
#include <systemd/sd-journal.h>

int main() {
    sd_journal_send(
        "MESSAGE=Login attempt",
        "PRIORITY=4",
        "SYSLOG_FACILITY=10",  // authpriv
        "SYSLOG_MSGID=LOGIN001",
        "SYSLOG_STRUCTURED_DATA=[auth@12345 user=\"alice\" ip=\"1.2.3.4\" result=\"success\"]",
        NULL
    );
    return 0;
}
```

Compile:
```bash
gcc tag.c -lsystemd -o tag && ./tag
```

---

## Security Best Practices

| Action | Why |
|------|-----|
| **Use TLS/DTLS** | Encrypt logs in transit |
| **Set `TLSCertificateAuthMode=deny`** | Reject invalid certs |
| **Filter `authpriv`, `auth`** | Prevent credential leaks |
| **Restrict multicast** | Only trusted networks |
| **Audit service** | `systemd-analyze security systemd-netlogd.service` |

---

## Troubleshooting

| Issue | Fix |
|------|-----|
| No logs forwarded | `journalctl -u systemd-netlogd` |
| Connection refused | Check firewall, `ConnectionRetrySec` |
| TLS errors | `openssl s_client -connect host:port` |
| Test receiver | `nc -ul 514` |
| Generate test log | `logger -p user.info "Hello from netlogd!"` |
| Debug mode | Add override: `StandardOutput=journal+console` |

---

## Contributing

1. Fork it
2. Create your feature branch
3. Commit with clear messages
4. Open a PR!

See `CONTRIBUTING.md`

---

## License

**LGPL-2.1-or-later** — same as systemd.  
See `LICENSE`.

---

> **Questions?** Open an issue on GitHub!  
> **Star this repo if you love centralized logging!**