Revise systemd-netlogd documentation for clarity

ssahani · web-flow · commit f1129d8e57b7 · 2025-10-27T09:13:14.000+05:30
Updated the documentation for systemd-netlogd, enhancing clarity and detail in the description, features, configuration options, and examples.
diff --git a/doc/index.rst b/doc/index.rst
@@ -1,182 +1,278 @@
 :orphan:
 
-systend-netlogd manual page
-===========================
+systemd-netlogd(8)
+==================
+
+.. contents::
+   :depth: 2
+   :local:
+   :backlinks: none
+
+Name
+----
+
+**systemd-netlogd** - Forward systemd journal messages to remote hosts via Syslog
+
+Synopsis
+--------
+
+::
+
+    systemd-netlogd [OPTIONS...]
 
 Description
 -----------
 
-Forwards messages from the journal to other hosts over the network using the Syslog Protocol (RFC 5424 and RFC 3339). It can be configured to send
-messages to both unicast and multicast addresses. systemd-netlogd runs with own user systemd-journal-netlog. Starts sending logs when network is up and stops
-sending as soon as network is down (uses sd-network). It reads from journal and forwards to network one by one. It does not use any extra disk space.
-systemd-netlogd supports ``UDP``, ``TCP``, ``TLS`` and ``DTLS`` (Datagram Transport Layer Security RFC 6012).
+**systemd-netlogd** is a lightweight, network-aware daemon for forwarding log messages from the **systemd journal** to remote hosts over the network using the **Syslog protocol** (RFC 5424 and RFC 3339). It supports unicast and multicast destinations, ensuring efficient log aggregation in distributed environments.
 
-Configuration
+Key features:
+
+- **Efficient forwarding**: Reads journal entries sequentially and transmits them one-by-one without buffering or additional disk usage.
+- **Network integration**: Leverages ``sd-network`` to start forwarding when the network is up and pause when it's down.
+- **Secure transports**: Supports UDP (default), TCP, TLS, and DTLS (RFC 6012 for datagram security).
+- **Flexible output**: Formats logs as RFC 5424 (default), RFC 5425 (length-prefixed for TLS), or RFC 3339.
+- **Isolation**: Runs as the dedicated system user ``systemd-journal-netlog``.
+- **Filtering**: Exclude specific syslog facilities or levels; target journal namespaces.
+
+This daemon is ideal for edge devices, servers, or cloud setups requiring centralized logging with minimal resource impact.
+
+Installation
+------------
+
+Use your distribution's package manager:
+
+- **Ubuntu/Debian**: ``sudo apt install systemd-netlogd``
+- **Fedora/RHEL**: Available via COPR repositories (search for ``systemd-netlogd``).
+- **Arch Linux**: Build from AUR (``systemd-netlogd-git``).
+
+For building from source, see the `GitHub repository <https://github.com/systemd/systemd-netlogd>`_.
+
+User Creation
 -------------
 
-|
-| **useradd** -G systemd-journal systemd-journal-netlog
+The daemon requires a dedicated system user. Create it manually:
 
-This will create a user systemd-journal-netlog
+.. code-block:: console
 
-[NETWORK] SECTION OPTIONS
--------------------------
-|
-|
-   The "[Network]" section only applies for UDP multicast address and Port:
+   sudo useradd -r -d / -s /usr/sbin/nologin -g systemd-journal systemd-journal-netlog
 
-| ``Address=``
-        Controls whether log messages received by the systemd daemon shall be forwarded
-        to a unicast UDP address or multicast UDP network group in syslog RFC 5424 format.
-        The address string format is similar to socket units. See systemd.socket(1)
+Or via ``sysusers.d`` (preferred):
 
-| ``Protocol=``
-        Specifies whether to use udp, tcp, tls or dtls (Datagram Transport Layer Security) protocol. Defaults to udp.
+.. code-block:: ini
 
-| ``LogFormat=``
-        Specifies whether to use RFC 5424, RFC 5425, or RFC 3339 format. Takes one of rfc5424, rfc5425, or rfc3339. Defaults to rfc5424. RFC 5425 is mainly useful for sending over TLS; it prepends a message length field to the RFC 5424 format.
+   # /etc/sysusers.d/systemd-netlogd.conf
+   # Type   Name                    ID   GECOS   Home directory  Shell
+   u       systemd-journal-netlog  -    -       /               /bin/nologin
 
-| ``Directory=``
-        Takes a directory path. Specifies whether to operate on the specified journal directory DIR instead of the default runtime and system journal paths.
+Apply with:
 
-| ``Namespace=``
-        Takes a journal namespace identifier string as argument. If not specified the data collected by the default namespace is shown.
-        If specified shows the log data of the specified namespace instead. If the namespace is specified as "*" data from all namespaces
-        is shown, interleaved. If the namespace identifier is prefixed with "+" data from the specified namespace and the default namespace is shown,
-        interleaved, but no other.
+.. code-block:: console
 
-| ``ConnectionRetrySec=``
-        Specifies the minimum delay before subsequent attempts to contact a Log server are made.
-        Takes a time span value. The default unit is seconds, but other units may be specified,
-        see systemd.time(5). Defaults to 30 seconds and must not be smaller than 1 second.
+   sudo systemd-sysusers
 
-| ``TLSCertificateAuthMode=``
-        Specifies whether to validate the certificate. Takes one of no, allow, deny, warn. Defaults to 'no' which disables certificate validation.
+Running the Service
+-------------------
 
-| ``KeepAlive=``
-        Takes a boolean argument. If true, the TCP/IP stack will send a keep alive message after 2h (depending on the configuration of
-        /proc/sys/net/ipv4/tcp_keepalive_time) for all TCP streams accepted on this socket. This controls the SO_KEEPALIVE socket option
-        (see socket(7) and the TCP Keepalive HOWTO for details.) Defaults to false.
+Enable and start via systemd:
 
-| ``KeepAliveTimeSec=``
-        Takes time (in seconds) as argument. The connection needs to remain idle before TCP starts sending keepalive probes.
-        This controls the TCP_KEEPIDLE socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Default value is 7200 seconds (2 hours).
+.. code-block:: console
 
-| ``KeepAliveIntervalSec=``
-        Takes time (in seconds) as argument between individual keepalive probes, if the socket option SO_KEEPALIVE has been set on this socket.
-        This controls the TCP_KEEPINTVL socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Default value is 75 seconds.
+   sudo systemctl daemon-reload
+   sudo systemctl enable --now systemd-netlogd.service
 
-| ``KeepAliveProbes=``
-       Takes an integer as argument. It is the number of unacknowledged probes to send before considering the connection dead and notifying
-       the application layer. This controls the TCP_KEEPCNT socket option (see socket(7) and the TCP Keepalive HOWTO for details.) Default value is 9.
+- **Logs**: ``journalctl -u systemd-netlogd.service``
+- **Manual invocation**: ``sudo systemd-netlogd`` (for testing).
 
-| ``SendBuffer=``
-       Takes an integer argument controlling the receive or send buffer sizes of this socket, respectively. This controls the SO_SNDBUF
-       socket options (see socket(7) for details.). The usual suffixes K, M, G are supported and are understood to the base of 1024.
+Configuration
+-------------
 
-| ``NoDelay=``
-       Takes a boolean argument. TCP Nagle's algorithm works by combining a number of small outgoing messages, and sending them all at once.
-       This controls the TCP_NODELAY socket option (see tcp(7)). Defaults to false.
+Read from ``/etc/systemd/netlogd.conf`` and drop-ins in ``/etc/systemd/netlogd.conf.d/*.conf`` (INI format).
 
-|  Optional settings
+Options are in the ``[Network]`` section. Reload changes:
 
-|  ``StructuredData=``
-        Specifies the meta information about the syslog message, which can be used for Cloud Based syslog servers, such as Loggly.
+.. code-block:: console
 
-|  ``UseSysLogStructuredData=``
-        A boolean. Specifies whether to extract SYSLOG_STRUCTURED_DATA= from journal. Defaults to false.
+   sudo systemctl reload systemd-netlogd.service
 
-|  ``UseSysLogMsgId=``
-       A boolean. Specifies whether to extract SYSLOG_MSGID= from journal. Defaults to false.
+[Network] Section Options
+-------------------------
 
-EXAMPLES
+.. tabularcolumns:: |p{3cm}|p{1.5cm}|p{1.5cm}|p{7cm}|
+
++--------------------+----------+-------------+-------------------------------------------------------------+
+| Option             | Type     | Default     | Description                                                  |
++====================+==========+=============+=============================================================+
+| ``Address=``       | string   | *(required)*| Destination (unicast ``IP:PORT`` or multicast ``GROUP:PORT``). See :manpage:`systemd.socket(5)`. |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``Protocol=``      | enum     | ``udp``     | ``udp``, ``tcp``, ``tls``, ``dtls``.                        |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``LogFormat=``     | enum     | ``rfc5424``| ``rfc5424``, ``rfc5425`` (TLS-friendly), ``rfc3339``.       |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``Directory=``     | path     | *system*    | Custom journal directory.                                    |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``Namespace=``     | string   | *default*   | Filter: ID, ``*`` (all), ``+ID`` (ID + default).            |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``ConnectionRetrySec=`` | time | ``30s`` | Reconnect delay (≥1s). See :manpage:`systemd.time(5)`.     |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``TLSCertificateAuthMode=`` | enum | ``no`` | ``no``, ``allow``, ``deny``, ``warn`` (validation modes). |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``TLSServerCertificate=`` | path | – | PEM CA/server cert for validation.                         |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``KeepAlive=``     | bool     | ``false``   | Enable TCP keepalives (``SO_KEEPALIVE``). See :manpage:`socket(7)`. |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``KeepAliveTimeSec=`` | sec | ``7200`` | Idle before probes (``TCP_KEEPIDLE``).                      |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``KeepAliveIntervalSec=`` | sec | ``75`` | Probe interval (``TCP_KEEPINTVL``).                         |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``KeepAliveProbes=`` | int  | ``9``     | Probes before close (``TCP_KEEPCNT``).                      |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``SendBuffer=``    | size     | *system*    | Send buffer (``SO_SNDBUF``; K/M/G suffixes).                |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``NoDelay=``       | bool     | ``false``   | Disable Nagle (``TCP_NODELAY``). See :manpage:`tcp(7)`.     |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``StructuredData=``| string   | –           | Fixed SD-ID (e.g., for Loggly).                              |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``UseSysLogStructuredData=`` | bool | ``false`` | Extract ``SYSLOG_STRUCTURED_DATA`` from journal.           |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``UseSysLogMsgId=``| bool     | ``false``   | Extract ``SYSLOG_MSGID`` from journal.                      |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``ExcludeSyslogFacility=`` | list | –     | Skip facilities (e.g., ``auth,authpriv``).                  |
++--------------------+----------+-------------+-------------------------------------------------------------+
+| ``ExcludeSyslogLevel=`` | list | –       | Skip levels (e.g., ``debug``).                              |
++--------------------+----------+-------------+-------------------------------------------------------------+
+
+**Facilities**: ``kern``, ``user``, ``mail``, ``daemon``, ``auth``, ``syslog``, ``lpr``, ``news``, ``uucp``, ``cron``, ``authpriv``, ``ftp``, ``ntp``, ``security``, ``console``, ``solaris-cron``, ``local0``–``local7``.
+
+**Levels**: ``emerg``, ``alert``, ``crit``, ``err``, ``warning``, ``notice``, ``info``, ``debug``.
+
+Examples
 --------
 
-- Example 1. UDP Multicast::
+UDP Multicast
+^^^^^^^^^^^^^
+
+.. code-block:: ini
+
+   [Network]
+   Address=239.0.0.1:6000
+
+Unicast UDP (RFC 3339)
+^^^^^^^^^^^^^^^^^^^^^
+
+.. code-block:: ini
 
- .. code-block:: bash
+   [Network]
+   Address=192.168.8.101:514
+   LogFormat=rfc3339
 
-    [Network]
-    Address=239.0.0.1:6000
+Custom Structured Data
+^^^^^^^^^^^^^^^^^^^^^
 
-- Example 2. UDP::
+.. code-block:: ini
 
- .. code-block:: bash
+   [Network]
+   Address=192.168.8.101:514
+   StructuredData=[1ab456b6-90bb-6578-abcd-5b734584aaaa@41058]
 
-    [Network]
-    Address=192.168.8.101:514
+TLS
+^^^
 
-- Example 3. Structured Data::
+.. code-block:: ini
 
- .. code-block:: bash
+   [Network]
+   Address=192.168.8.101:514
+   Protocol=tls
+   LogFormat=rfc5425
+   TLSCertificateAuthMode=deny
 
-    [Network]
-    Address=192.168.8.101:514
-    StructuredData=[1ab456b6-90bb-6578-abcd-5b734584aaaa@41058]
+DTLS
+^^^^
 
-- Example 4. TLS::
+.. code-block:: ini
 
- .. code-block:: bash
+   [Network]
+   Address=192.168.8.101:4433
+   Protocol=dtls
+   TLSCertificateAuthMode=warn
 
-    [Network]
-    Address=192.168.8.101:514
-    Protocol=tls
+Extract Journal Metadata
+^^^^^^^^^^^^^^^^^^^^^^^^
 
-- Example 5. DTLS::
+.. code-block:: ini
 
- .. code-block:: bash
+   [Network]
+   Address=192.168.8.101:514
+   LogFormat=rfc5424
+   UseSysLogStructuredData=yes
+   UseSysLogMsgId=yes
 
-    [Network]
-    Address=192.168.8.101:4433
-    Protocol=dtls
+TCP with Filtering
+^^^^^^^^^^^^^^^^^^
 
-- Example 6. Custom Structured Data and Message Id::
+.. code-block:: ini
 
- .. code-block:: bash
+   [Network]
+   Address=192.168.8.101:514
+   Protocol=tcp
+   ExcludeSyslogFacility=auth,authpriv
+   ExcludeSyslogLevel=debug
 
-    [Network]
-    Address=192.168.8.101:514
-    #Protocol=udp
-    LogFormat=rfc5424
-    UseSysLogStructuredData=yes
-    UseSysLogMsgId=yes
+Using Structured Data and Message IDs
+-------------------------------------
 
-- Example 7. TCP::
+Tag journal entries for extraction:
 
- .. code-block:: bash
+.. code-block:: c
 
-    [Network]
-    Address=192.168.8.101:514
-    Protocol=tcp
+   #include <systemd/sd-journal.h>
 
-- Example 8. TLS with certificate authentication mode::
+   int main(void) {
+       sd_journal_send(
+           "MESSAGE=%s", "Message to process",
+           "PRIORITY=%i", 4,  // warning
+           "SYSLOG_FACILITY=%i", 1,  // user
+           "SYSLOG_MSGID=%s", "1011",
+           "SYSLOG_STRUCTURED_DATA=%s", R"([exampleSDID@32473 iut="3" eventSource="Application"])",
+           NULL);
+       return 0;
+   }
 
- .. code-block:: bash
+Compile: ``gcc example.c -lsystemd``.
 
-    [Network]
-    Address=192.168.8.101:514
-    Protocol=tls
-    TLSCertificateAuthMode=warn
+Files
+-----
 
-- Example 9. DTLS with certificate authentication mode::
+/etc/systemd/netlogd.conf
+   Main configuration.
 
- .. code-block:: bash
+/etc/systemd/netlogd.conf.d/*.conf
+   Drop-in snippets.
 
-    [Network]
-    Address=192.168.8.101:514
-    Protocol=tls
-    TLSCertificateAuthMode=deny
+/lib/systemd/system/systemd-netlogd.service
+   Service unit.
 
+Troubleshooting
+---------------
 
-- Use case of UseSysLogStructuredData= and UseSysLogMsgId=::
+- **No forwarding**: Check ``journalctl -u systemd-netlogd``; verify network and permissions.
+- **TLS errors**: Use ``openssl verify -CAfile cert.pem server.crt``; set ``TLSCertificateAuthMode=allow`` for testing.
+- **Test setup**: Generate logs with ``logger -p user.info "Test"``; receive with ``nc -u -l 514``.
+- **Debug mode**: Override service: ``systemctl edit systemd-netlogd`` and add ``StandardOutput=journal+console``.
 
- .. code-block:: bash
+See Also
+--------
+
+:manpage:`systemd.socket(5)`, :manpage:`systemd.time(5)`, :manpage:`socket(7)`, :manpage:`tcp(7)`, :manpage:`systemd-journald(8)`
+
+- RFC 5424, RFC 5425, RFC 3339, RFC 6012
+- Project: https://github.com/systemd/systemd-netlogd
+
+Author
+------
+
+Susant Sahani <ssahani@gmail.com>
+
+Colophon
+--------
 
-    sd_journal_send(
-    "MESSAGE=%s", "Message to process",
-    "PRIORITY=%s", "4",
-    "SYSLOG_FACILITY=%s", "1",
-    "SYSLOG_MSGID=%s", "1011",
-    "SYSLOG_STRUCTURED_DATA=%s", R"([exampleSDID@32473 iut="3" eventSource="Application"])",
-    NULL
-  );
+This page is part of systemd-netlogd (version 1.4.4, October 27, 2025).
