Forwards messages from the systemd journal to remote hosts over the network using the Syslog protocol (RFC 5424 and RFC 3164). Supports unicast and multicast destinations with UDP, TCP, TLS (RFC 5425), and DTLS (RFC 6012) transports.
systemd-netlogd reads from the journal and forwards to the network sequentially — no local buffering or extra disk usage. It starts sending logs when the network is up and stops when it goes down (using sd-network), and runs as the unprivileged systemd-journal-netlog user.
- Network-aware — automatically detects network state changes via
sd-network - Zero buffering — sequential journal reading without local caching
- Secure transports — UDP, TCP, TLS (RFC 5425), DTLS (RFC 6012)
- Standard formats — RFC 5424 (recommended), RFC 3164 (legacy BSD syslog)
- Smart filtering — exclude sensitive facilities (auth/authpriv) and log levels
- Namespace support — forward from specific journal namespaces or aggregate all
- Structured data — attach metadata to messages or extract from journal fields
- Hardened — runs as unprivileged user with systemd security sandboxing
- Fault tolerant — automatic reconnection with cursor persistence ensures no message loss
- Lightweight — minimal memory footprint, no runtime dependencies beyond systemd and OpenSSL
# Configure sudo tee /etc/systemd/netlogd.conf <<EOF [Network] Address=logs.example.com:514 Protocol=tcp EOF # Create system user sudo useradd -r -d / -s /usr/sbin/nologin -g systemd-journal systemd-journal-netlog # Start sudo systemctl enable --now systemd-netlogdView status:
journalctl -u systemd-netlogd -f| Distribution | Command |
|---|---|
| Ubuntu/Debian | sudo apt install systemd-netlogd |
| Fedora/RHEL | Available via COPR repositories |
| Arch Linux | AUR: yay -S systemd-netlogd-git |
Prerequisites: systemd >= 230 (v255+ recommended), meson (>= 0.51), gperf, libcap, OpenSSL
# Install dependencies (Debian/Ubuntu) sudo apt install build-essential meson gperf libcap-dev libsystemd-dev libssl-dev libcmocka-dev # Install dependencies (Fedora/RHEL) sudo dnf install gcc meson gperf libcap-devel systemd-devel openssl-devel libcmocka-devel # Install dependencies (Arch Linux) sudo pacman -S base-devel meson gperf libcap openssl cmocka # Build git clone https://github.com/systemd/systemd-netlogd.git cd systemd-netlogd meson setup build meson compile -C build # Run tests meson test -C build # Install sudo meson install -C build # Create system user and start sudo useradd -r -d / -s /usr/sbin/nologin -g systemd-journal systemd-journal-netlog sudo systemctl daemon-reload sudo systemctl enable --now systemd-netlogdThe repository includes packaging for multiple distributions:
- RPM —
systemd-netlogd.spec(Fedora, RHEL, Rocky Linux) - DEB —
debian/directory (Ubuntu, Debian) - Arch Linux —
PKGBUILD
Configuration file: /etc/systemd/netlogd.conf
Drop-in overrides: /etc/systemd/netlogd.conf.d/*.conf
Reload after changes: sudo systemctl reload systemd-netlogd
| Option | Description | Default |
|---|---|---|
Address= | Destination (IP:port or multicast group) | Required |
Protocol= | udp, tcp, tls, dtls | udp |
LogFormat= | rfc5424, rfc5425 (TLS), rfc3164 (legacy) | rfc5424 |
Directory= | Custom journal directory path | System default |
Namespace= | Journal namespace: * (all), +id (id+default), id | Default |
ConnectionRetrySec= | Reconnect delay after failure | 30s |
TLSCertificateAuthMode= | Certificate validation: deny, warn, allow, no | deny |
TLSServerCertificate= | CA/server certificate PEM path | System CA store |
KeepAlive= | Enable TCP keepalive probes | false |
KeepAliveTimeSec= | Keepalive idle timeout | 7200 |
KeepAliveIntervalSec= | Keepalive probe interval | 75 |
KeepAliveProbes= | Keepalive probe count | 9 |
SendBuffer= | Socket send buffer size (bytes, K, M, G) | System default |
NoDelay= | Disable Nagle's algorithm (lower latency) | false |
StructuredData= | Static structured data [SD-ID@PEN ...] | None |
UseSysLogStructuredData= | Extract SYSLOG_STRUCTURED_DATA from journal | false |
UseSysLogMsgId= | Extract SYSLOG_MSGID from journal | false |
ExcludeSyslogFacility= | Space-separated facility list to exclude | None |
ExcludeSyslogLevel= | Space-separated level list to exclude | None |
Facilities: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, ntp, security, console, solaris-cron, local0-local7
Levels: emerg, alert, crit, err, warning, notice, info, debug
Basic UDP:
[Network] Address=192.168.1.100:514Production TLS (recommended):
[Network] Address=logs.example.com:6514 Protocol=tls LogFormat=rfc5425 TLSCertificateAuthMode=deny TLSServerCertificate=/etc/pki/tls/certs/ca-bundle.crt KeepAlive=yes NoDelay=yes ExcludeSyslogFacility=auth authprivDTLS (encrypted UDP):
[Network] Address=192.168.1.100:4433 Protocol=dtls TLSCertificateAuthMode=warnTCP with filtering:
[Network] Address=192.168.1.100:514 Protocol=tcp ExcludeSyslogFacility=auth authpriv ExcludeSyslogLevel=debugCloud service (Papertrail):
[Network] Address=logs7.papertrailapp.com:12345 Protocol=tls LogFormat=rfc5424 TLSCertificateAuthMode=deny KeepAlive=yesCloud service (Loggly):
[Network] Address=logs-01.loggly.com:6514 Protocol=tls LogFormat=rfc5424 StructuredData=[YOUR-CUSTOMER-TOKEN@41058] TLSCertificateAuthMode=denyMulticast:
[Network] Address=239.0.0.1:6000With structured data and message IDs:
[Network] Address=192.168.1.100:514 Protocol=tcp LogFormat=rfc5424 StructuredData=[app@12345 env="production" region="us-east"] UseSysLogStructuredData=yes UseSysLogMsgId=yesAll journal namespaces:
[Network] Address=192.168.1.100:514 Protocol=tcp Namespace=*See the examples/ directory for more production-ready configurations.
systemd-netlogd runs with minimal privileges via systemd hardening:
- Runs as dedicated
systemd-journal-netloguser (not root) ProtectSystem=strict,ProtectHome=yes,PrivateTmp=yesProtectKernelTunables=yes,ProtectKernelModules=yes,ProtectKernelLogs=yesMemoryDenyWriteExecute=yes,LockPersonality=yesSystemCallArchitectures=native,PrivateDevices=yes
Audit the security posture:
sudo systemd-analyze security systemd-netlogd.serviceBest practices:
- Use
Protocol=tlsfor forwarding over untrusted networks - Set
TLSCertificateAuthMode=denywith a valid CA certificate in production - Exclude sensitive logs:
ExcludeSyslogFacility=auth authpriv
See SECURITY.md for the full security policy and vulnerability reporting.
| Signal | Action |
|---|---|
SIGTERM, SIGINT | Graceful shutdown, save cursor state |
SIGUSR1 | Toggle debug log level |
SIGUSR2 | Reserved |
# Enable debug logging temporarily sudo kill -SIGUSR1 $(pidof systemd-netlogd) journalctl -u systemd-netlogd -f# Check service status sudo systemctl status systemd-netlogd journalctl -u systemd-netlogd -n 50 # Test network connectivity nc -vz remote-server 514 # TCP nc -u -vz remote-server 514 # UDP # Generate test log logger -p user.info "Test from systemd-netlogd" # Enable persistent debug logging sudo systemctl edit systemd-netlogd # Add: Environment=SYSTEMD_LOG_LEVEL=debug # Test TLS connectivity openssl s_client -connect server:6514 -CAfile /path/to/ca.pem # Reset state (re-forward from current journal position) sudo systemctl stop systemd-netlogd sudo rm /var/lib/systemd-netlogd/state sudo systemctl start systemd-netlogdThe daemon saves its journal cursor to /var/lib/systemd-netlogd/state after each successful forward. This ensures no message loss across restarts or network outages. On startup, it resumes from the last saved position.
| Document | Description |
|---|---|
| Man page | Full reference (man systemd-netlogd) |
| FAQ | Common questions and answers |
| ARCHITECTURE.md | Internal design and data flow |
| TESTING.md | Test suite and validation guide |
| CONTRIBUTING.md | Development setup and contribution guide |
| SECURITY.md | Security policy and vulnerability reporting |
| CHANGELOG.md | Release history |
| examples/ | Production-ready configuration examples |
git clone https://github.com/systemd/systemd-netlogd.git cd systemd-netlogd meson setup build meson compile -C build meson test -C build -vSee CONTRIBUTING.md for the full guide.
LGPL-2.1-or-later -- same license as systemd. See LICENSE.LGPL2.1.
Susant Sahani ssahani@gmail.com