How to configure systemd journal remote logging

Solution Unverified - Updated 12 Mar 2024

Environment

Red Hat Enterprise Linux 7 and above

Issue

How to configure journal remote
Need to send journal logs to remote journal server.

Resolution

1. Server Config

Confirm first if journal remote is installed or not. If not install with/using below command:

   # yum install systemd-journal-remote

Prepare the sink directory where all logs will be dumped:

   # mkdir -p  /var/log/journal/remote/

(Optional) Change the protocol in unit file if desired. Change --listen-https to --listen-http for http protocol. Or else configure certificates in /etc/systemd/journal-remote.conf file. In order to generate certificate jump to "Setting up certificates for authentication" section.

   # vi /usr/lib/systemd/system/systemd-journal-remote.service

Reload the systemd and enable and start the socket.

   # systemctl daemon-reload
   # systemctl enable systemd-journal-remote.socket 
   # systemctl start systemd-journal-remote.socket

2. Client Config

Confirm first if journal remote is installed or not. If not install with:

   # yum install systemd-journal-remote

Edit the configuration file and add URL option pointing to server. Replace the correct IP of server here.

	#  vi /etc/systemd/journal-upload.conf 

	[Upload]
	URL=http://<FQDN or IP>:19532

Note: if http is not used, it will use https protocol leading to openssl related issues. In case you want to use https, Make sure you have certificates configured on both server and client side.

Start and enable the service:

       #  systemctl enable systemd-journal-upload
   #  systemctl start systemd-journal-upload

3. Setting up certificates for authentication

As per the manpage:

   # man systemd-journal-upload

Certificates signed by a trusted authority are used to verify that the server to which messages are uploaded is legitimate, and vice versa, that the client is trusted.
A suitable set of certificates can be generated with openssl. Note, 2048 bits of key length is minimally recommended to use for security reasons:

	Example 1. Setting up certificates for authentication

	Certificates signed by a trusted authority are used to verify that the server to which messages are
	uploaded is legitimate, and vice versa, that the client is trusted.

	A suitable set of certificates can be generated with openssl. Note, 2048 bits of key length is minimally
	recommended to use for security reasons:

	# openssl req -newkey rsa:2048 -days 3650 -x509 -nodes \
	-out ca.pem -keyout ca.key -subj '/CN=Certificate authority/'

	# cat >ca.conf <<EOF
	[ ca ]
	default_ca = this

	[ this ]
	new_certs_dir = .
	certificate = ca.pem
	database = ./index
	private_key = ca.key
	serial = ./serial
	default_days = 3650
	default_md = default
	policy = policy_anything

	[ policy_anything ]
	countryName             = optional
	stateOrProvinceName     = optional
	localityName            = optional
	organizationName        = optional
	organizationalUnitName  = optional
	commonName              = supplied
	emailAddress            = optional
	EOF

	# touch index
	# echo 0001 >serial

	# replace the actual hostname of server and client here
	# SERVER=server
	# CLIENT=client

	# openssl req -newkey rsa:2048 -nodes -out $SERVER.csr -keyout $SERVER.key -subj "/CN=$SERVER/"
	# openssl ca -batch -config ca.conf -notext -in $SERVER.csr -out $SERVER.pem

	# openssl req -newkey rsa:2048 -nodes -out $CLIENT.csr -keyout $CLIENT.key -subj "/CN=$CLIENT/"
	# openssl ca -batch -config ca.conf -notext -in $CLIENT.csr -out $CLIENT.pem

Generated files ca.pem, server.pem, and server.key should be installed on server, and ca.pem, client.pem, and client.key on the client. The location of those files can be specified using TrustedCertificateFile=, ServerCertificateFile=, ServerKeyFile=, in /etc/systemd/journal-remote.conf and /etc/systemd/journal-upload.conf, respectively. The default locations can be queried by using systemd-journal-remote --help and systemd-journal-upload --help.
Note: While using ssl option, you will have to define URL in upload config something like this:

   URL=https://<FQDN>:<port>

FQDN should match with the CN in SSL certificate of server. Hence if you tried to use IP it will throw error that it is not matching with the Common Name (CN) in certificate.

SBR

Services

Product(s)

Red Hat Enterprise Linux

Components

systemd

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.