systemd-netlogd is a lightweight, battle-tested daemon that forwards systemd journal logs to remote hosts over the network using the Syslog protocol (RFC 5424 & RFC 3339).
It supports unicast and multicast, with zero disk buffering — perfect for edge devices, servers, and cloud fleets.
| Feature | Description |
|---|---|
| Network-Aware | Auto-starts when network is up, pauses when down (sd-network integration) |
| Zero Buffering | Reads journal sequentially, forwards one-by-one — no disk, no bloat |
| Full Protocol Support | UDP, TCP, TLS, DTLS (RFC 6012) |
| Flexible Formatting | RFC 5424 (default), RFC 3339, length-prefixed for TLS |
| Security First | TLS cert validation, keepalives, sensitive log filtering |
| Namespace Aware | Target specific journals or aggregate all |
| Isolated Execution | Runs as systemd-journal-netlog system user |
Ideal for: Centralized logging without local storage impact
Requires systemd v255+ for full features.
sudo apt update
sudo apt install build-essential gperf libcap-dev libsystemd-dev pkg-config meson python3-sphinxsudo dnf group install 'Development Tools'
sudo dnf install gperf libcap-devel pkg-config systemd-devel meson python3-sphinxgit clone https://github.com/systemd/systemd-netlogd.git
cd systemd-netlogd
meson setup build
meson compile -C build
sudo meson install -C buildTip: Prefer
meson.makestill works but is legacy.
# Copy provided file or create:
sudo tee /etc/sysusers.d/systemd-netlogd.conf > /dev/null <<EOF
u systemd-journal-netlog - - / /bin/nologin
EOF
sudo systemd-sysuserssudo useradd -r -d / -s /usr/sbin/nologin -g systemd-journal systemd-journal-netlog| Distro | Command |
|---|---|
| Ubuntu (Plucky+, Quokka+, Raccoon+) | sudo apt install systemd-netlogd |
| Fedora | Search COPR: systemd-netlogd |
| Arch Linux | AUR: systemd-netlogd-git |
sudo systemctl daemon-reload
sudo systemctl enable --now systemd-netlogd.serviceCheck logs:
journalctl -u systemd-netlogd.service -fManual test:
SYSTEMD_LOG_LEVEL=debug /usr/lib/systemd-netlogd Config: /etc/systemd/netlogd.conf
Drop-ins: /etc/systemd/netlogd.conf.d/*.conf (INI format)
Reload: sudo systemctl reload systemd-netlogd.service
| Option | Description | Default | Example |
|---|---|---|---|
Address= |
Destination (IP:port or multicast) | Required | 239.0.0.1:6000 |
Protocol= |
udp | tcp | tls | dtls |
udp |
tls |
LogFormat= |
rfc5424 | rfc3339 |
rfc5424 |
rfc3339 |
Directory= |
Custom journal path | System default | /var/log/journal |
Namespace= |
*, +id, or id |
Default | * |
ConnectionRetrySec= |
Retry delay | 30s |
1min |
TLSCertificateAuthMode= |
deny | warn | allow | no |
deny |
warn |
TLSServerCertificate= |
CA/server PEM path | None | /etc/ssl/ca.pem |
KeepAlive= |
TCP keepalive | false |
true |
NoDelay= |
Disable Nagle (low latency) | false |
true |
StructuredData= |
Custom SD-ID | None | [app@12345] |
UseSysLogStructuredData= |
Extract from journal | false |
yes |
UseSysLogMsgId= |
Extract MSGID | false |
yes |
ExcludeSyslogFacility= |
Skip facilities | None | auth,authpriv |
ExcludeSyslogLevel= |
Skip levels | None | debug,info |
[Network]
Address=239.0.0.1:6000
# Protocol=udp (default)[Network]
Address=192.168.1.100:514
LogFormat=rfc3339[Network]
Address=logs.papertrailapp.com:12345
LogFormat=rfc5424
StructuredData=[1ab456b6-90bb-6578-abcd-5b734584aaaa@41058][Network]
Address=192.168.1.100:514
LogFormat=rfc5424
UseSysLogStructuredData=yes
UseSysLogMsgId=yes[Network]
Address=192.168.1.100:514
ExcludeSyslogFacility=auth,authpriv
ExcludeSyslogLevel=debug[Network]
Address=secure-logger.example.com:6514
Protocol=tls
LogFormat=rfc5424
TLSCertificateAuthMode=deny
TLSServerCertificate=/etc/ssl/ca-bundle.pem
KeepAlive=true
NoDelay=true[Network]
Address=192.168.1.100:4433
Protocol=dtls
TLSCertificateAuthMode=allow#include <systemd/sd-journal.h>
int main() {
sd_journal_send(
"MESSAGE=Login attempt",
"PRIORITY=4",
"SYSLOG_FACILITY=10", // authpriv
"SYSLOG_MSGID=LOGIN001",
"SYSLOG_STRUCTURED_DATA=[auth@12345 user=\"alice\" ip=\"1.2.3.4\" result=\"success\"]",
NULL
);
return 0;
}Compile:
gcc tag.c -lsystemd -o tag && ./tag| Action | Why |
|---|---|
| Use TLS/DTLS | Encrypt logs in transit |
Set TLSCertificateAuthMode=deny |
Reject invalid certs |
Filter authpriv, auth |
Prevent credential leaks |
| Restrict multicast | Only trusted networks |
| Audit service | systemd-analyze security systemd-netlogd.service |
| Issue | Fix |
|---|---|
| No logs forwarded | journalctl -u systemd-netlogd |
| Connection refused | Check firewall, ConnectionRetrySec |
| TLS errors | openssl s_client -connect host:port |
| Test receiver | nc -ul 514 |
| Generate test log | logger -p user.info "Hello from netlogd!" |
| Debug mode | Add override: StandardOutput=journal+console |
- Fork it
- Create your feature branch
- Commit with clear messages
- Open a PR!
See CONTRIBUTING.md
LGPL-2.1-or-later — same as systemd.
See LICENSE.
Questions? Open an issue on GitHub!
Star this repo if you love centralized logging!