Skip to content

Puppet module for managing systemd journal remote, upload and gatewayd services.

License

Notifications You must be signed in to change notification settings

gibbs/puppet-systemd_journal_remote

Repository files navigation

systemd journal remote

Build Status Release Puppet Forge Apache-2 License

Overview

This module installs, configures and manages the following remote journald services:

  • systemd-journal-remote
  • systemd-journal-upload
  • systemd-journal-gatewayd

Package Management

By default, depending on the distribution, the systemd-journal-remote package is managed. The ::systemd_journal_remote class is required by all other services managed by this module.

# Default package management
class { '::systemd_journal_remote':
  manage_package => true,
  package_name   => 'systemd-journal-remote',
  package_ensure => present,
}

Example Usage

Remote Service

The systemd-journal-remote service can be used to receive journal messages over the network with the ::systemd_journal_remote::remote class.

include ::systemd_journal_remote::remote

By default, to ensure the service runs without configuration, journal-remote listens over HTTP and outputs to /var/log/journal/remote/.

To receive over HTTPS (recommended) and use trusted connections with Puppet certificates:

# Passive configuration example
class { '::systemd_journal_remote::remote':
  command_flags => {
    'listen-https' => '0.0.0.0:19532',
    'compress'     => 'yes',
    'output'       => '/var/log/journal/remote/',
  },
  options       => {
    'SplitMode'              => 'host',
    'ServerKeyFile'          => "/etc/puppetlabs/puppet/ssl/private_keys/${trusted['certname']}.pem",
    'ServerCertificateFile'  => "/etc/puppetlabs/puppet/ssl/certs/${trusted['certname']}.pem",
    'TrustedCertificateFile' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
  }
}

To pull data from another source in:

# Active configuration example
class { '::systemd_journal_remote::remote':
  command_flags => {
    'url'    => 'https://some.host:19531/',
    'getter' => "'curl \"-HAccept: application/vnd.fdo.journal\" https://some.host:19531/'",
    'output' => '/var/log/journal/remote/',
  },
  options       => {
    'SplitMode' => 'host',
  }
}

The command_flags and options parameters available mirror those documented in man systemd-journal-remote and man journal-remote.conf.

Upload Service

The systemd-journal-upload service can be used to upload (send) journal messages over the network with the ::systemd_journal_remote::upload class.

By default this class is configured to upload over HTTP to http://0.0.0.0:19532 and save its current state to /var/lib/systemd/journal-upload/state.

To send journal events over HTTPS using Puppet certificates:

# Upload over HTTPS with Puppet certificates
class { '::systemd_journal_remote::upload':
  command_flags => {
    'save-state' => '/var/lib/systemd/journal-upload/state',
  },
  options       => {
    'URL'                    => 'https://0.0.0.0:19532',
    'ServerKeyFile'          => "/etc/puppetlabs/puppet/ssl/private_keys/${trusted['certname']}.pem",
    'ServerCertificateFile'  => "/etc/puppetlabs/puppet/ssl/certs/${trusted['certname']}.pem",
    'TrustedCertificateFile' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
    'NetworkTimeoutSec'      => '30',
  }
}

Gateway Daemon Service

The systemd-journal-gatewayd service can be used as a HTTP server to request journal logs as server-sent events, binary or in text/JSON using the ::systemd_journal_remote::gatewayd class.

By default the server listens on all interfaces over HTTP on port 19531. To use HTTPS add the cert option.

# Expect HTTPS connection using Puppet certificates
class { '::systemd_journal_remote::gatewayd':
  command_flags => {
    'key'   => "/etc/puppetlabs/puppet/ssl/private_keys/${trusted['certname']}.pem",
    'cert'  => "/etc/puppetlabs/puppet/ssl/certs/${trusted['certname']}.pem",
    'trust' => '/etc/puppetlabs/puppet/ssl/certs/ca.pem',
  }
}

Limitations

SSL certificates are not managed by this module. You will need to ensure the systemd-journal-(remote|upload|gateway) users have the correct access to the necessary files.

This module only manages the systemd-journal-(remote|upload|gatewayd) systemd service ExecStart, journal-remote.conf and journal-upload.conf configuration files and the initial package installation.