Configuring systemd-journal-remote to Listen on Custom Ports: A Complete Guide


2 views

The systemd-journal-remote service is designed to receive journal messages from remote hosts using the Journal Export Format. While the default configuration works out of the box, many administrators need to customize the listening port for security or network topology reasons.

Contrary to what the man pages might suggest, there are ways to configure the listening port. The primary method involves modifying how the service is started through systemd socket activation.

Create an override for the socket unit:

sudo systemctl edit systemd-journal-remote.socket

[Socket]
ListenStream=19532
Accept=yes

Then reload and restart:

sudo systemctl daemon-reload
sudo systemctl restart systemd-journal-remote.socket

For older systems or specific use cases, you might need to modify the service directly:

sudo vim /etc/systemd/system/systemd-journal-remote.service.d/override.conf

[Service]
ExecStart=
ExecStart=/usr/lib/systemd/systemd-journal-remote --listen-http=-3 --output=/var/log/journal/remote/

Check the listening ports with:

ss -tulnp | grep journal

Or test connectivity with:

curl http://localhost:19532/

When changing ports:

  • Update firewall rules (iptables/nftables)
  • Consider using TLS encryption with --key= and --cert= options
  • Monitor for unauthorized access attempts

Common issues include:

journalctl -u systemd-journal-remote -f

Look for errors about port binding or permission issues.

The systemd-journal-remote service by default listens on port 19532 for incoming journal entries. This behavior is hardcoded in the source and not configurable through journal-remote.conf, which explains why you couldn't find any relevant options in the manual.

To make journal-remote listen on a different port, we need to override the systemd socket configuration. Here's how to create a custom socket unit:

# /etc/systemd/system/systemd-journal-remote.socket.d/override.conf
[Socket]
ListenStream=12345

Follow these steps to implement the port change:

# Create override directory
sudo mkdir -p /etc/systemd/system/systemd-journal-remote.socket.d

# Create override file
sudo tee /etc/systemd/system/systemd-journal-remote.socket.d/override.conf <<EOF
[Socket]
ListenStream=12345
EOF

# Reload systemd configuration
sudo systemctl daemon-reload

# Restart the service
sudo systemctl restart systemd-journal-remote.socket

Check if the service is listening on the new port:

sudo ss -tulnp | grep journal-remote
sudo systemctl status systemd-journal-remote.socket

When changing ports, consider these security aspects:

  • Update firewall rules (iptables/nftables) to allow the new port
  • Configure TLS encryption if transmitting over untrusted networks
  • Consider using TCP wrappers (/etc/hosts.allow) for additional access control

For secure remote logging without modifying ports:

ssh -L 19532:localhost:19532 remote-host

This forwards the remote port 19532 to localhost while encrypting all traffic.

If you encounter problems:

  • Check journal logs: journalctl -u systemd-journal-remote
  • Verify SELinux/AppArmor isn't blocking the new port
  • Ensure the port isn't already in use