systemd-journal-remote.service, systemd-journal-remote.socket, systemd-journal-remote - Receive journal messages over the network
/lib/systemd/systemd-journal-remote [OPTIONS...] [-o/--output=DIR|FILE] [SOURCES...]
systemd-journal-remote is a command to receive serialized journal events and store them to journal files. Input streams are in the Journal Export Format  , i.e. like the output from journalctl --output=export. For transport over the network, this serialized stream is usually carried over an HTTPS connection.
systemd-journal-remote.service is a system service that uses systemd-journal-remote to listen for connections. systemd-journal-remote.socket configures the network address that systemd-journal-remote.service listens on. By default this is port 19532. What connections are accepted and how the received data is stored can be configured through the journal-remote.conf(5) configuration file.
Sources can be either "active" (systemd-journal-remote requests and pulls the data), or "passive" (systemd-journal-remote waits for a connection and then receives events pushed by the other side).
systemd-journal-remote can read more than one event stream at a time. They will be interleaved in the output file. In case of "active" connections, each "source" is one stream, and in case of "passive" connections, each connection can result in a separate stream. Sockets can be configured in "accept" mode (i.e. only one connection), or "listen" mode (i.e. multiple connections, each resulting in a stream).
When there are no more connections, and no more can be created (there are no listening sockets), then systemd-journal-remote will exit.
Active sources can be specified in the following ways:
When - is given as a positional argument, events will be read from standard input. Other positional arguments will be treated as filenames to open and read from.
With the --url=ADDRESS option, events will be retrieved using HTTP from ADDRESS. This URL should refer to the root of a remote systemd-journal-gatewayd(8) instance, e.g. http://some.host:19531/ or https://some.host:19531/.
Program to invoke to retrieve data. The journal event stream must be generated on standard output.
--getter='curl "-HAccept: application/vnd.fdo.journal" https://some.host:19531/'
--getter='wget --header="Accept: application/vnd.fdo.journal" -O- https://some.host:19531/'
Passive sources can be specified in the following ways:
ADDRESS must be an address suitable for ListenStream= (cf. systemd.socket(5)). systemd-journal-remote will listen on this socket for connections. Each connection is expected to be a stream of journal events.
ADDRESS must be either a negative integer, in which case it will be interpreted as the (negated) file descriptor number, or an address suitable for ListenStream= (c.f. systemd.socket(5)). In the first case, the server listens on port 19532 by default, and the matching file descriptor must be inherited through $LISTEN_FDS/$LISTEN_PID. In the second case, an HTTP or HTTPS server will be spawned on this port, respectively for --listen-http= and --listen-https=. Currently, only POST requests to /upload with "Content-Type: application/vnd.fdo.journal" are supported.
systemd-journal-remote supports the $LISTEN_FDS/$LISTEN_PID protocol. Open sockets inherited through socket activation behave like those opened with --listen-raw= described above, unless they are specified as an argument in --listen-http=-n or --listen-https=-n above. In the latter case, an HTTP or HTTPS server will be spawned using this descriptor and connections must be made over the HTTP protocol.
Takes a path to a SSL secret key file in PEM format. Defaults to /etc/ssl/private/journal-remote.pem. This option can be used with --listen-https=. If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the key read from it.
Takes a path to a SSL certificate file in PEM format. Defaults to /etc/ssl/certs/journal-remote.pem. This option can be used with --listen-https=. If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the certificate read from it.
Takes a path to a SSL CA certificate file in PEM format, or all. If all is set, then certificate checking will be disabled. Defaults to /etc/ssl/ca/trusted.pem. This option can be used with --listen-https=. If the path refers to an AF_UNIX stream socket in the file system a connection is made to it and the certificate read from it.
Takes a comma separated list of gnutls logging categories. This option can be used with --listen-http= or --listen-https=.
The location of the output journal can be specified with -o or --output=.
Will write to this journal file. The filename must end with .journal. The file will be created if it does not exist. If necessary (journal file full, or corrupted), the file will be renamed following normal journald rules and a new journal file will be created in its stead.
Will create journal files underneath directory DIR. The directory must exist. If necessary (journal files over size, or corrupted), journal files will be rotated following normal journald rules. Names of files underneath DIR will be generated using the rules described below.
If --output= is not used, the output directory /var/log/journal/remote/ will be used. In case the output file is not specified, journal files will be created underneath the selected directory. Files will be called remote-hostname.journal, where the hostname part is the escaped hostname of the source endpoint of the connection, or the numerical address if the hostname cannot be determined.
In the case that "active" sources are given by the positional arguments or --getter= option, the output file name must always be given explicitly.
The following options are understood:
One of none or host. For the first, only one output journal file is used. For the latter, a separate output file is used, based on the hostname of the other endpoint of a connection.
In the case that "active" sources are given by the positional arguments or --getter= option, the output file name must always be given explicitly and only none is allowed.
If this is set to "yes" then compress the data in the journal using XZ. The default is "yes".
If this is set to "yes" then periodically sign the data in the journal using Forward Secure Sealing. The default is "no".
Print a short help text and exit.
Print a short version string and exit.
Copy local journal events to a different journal directory:
journalctl -o export | systemd-journal-remote -o /tmp/dir/foo.journal -
Retrieve all available events from a remote systemd-journal-gatewayd(8) instance and store them in /var/log/journal/remote/remote-some.host.journal:
systemd-journal-remote --url http://some.host:19531/
Retrieve current boot events and wait for new events from a remote systemd-journal-gatewayd(8) instance, and store them in /var/log/journal/remote/remote-some.host.journal:
systemd-journal-remote --url http://some.host:19531/entries?boot&follow
Journal Export Format