Systemd - Circolog

A simple start

The bare minimum you need to get circologd on a systemd-based system is this unit. Other options with more features or more security are provided below

[Unit]
Description=In-memory logging

[Service]
User=root
Group=adm
ExecStart=/usr/local/sbin/circologd -syslogd-socket /run/circolog/syslog.sock  -buffer-size 2000 -query-socket /run/circolog/query.sock

[Install]
WantedBy=multi-user.target

A better unit

This is another unit, which has several security features, such as DynamicUser, filesystem restrictions, and more.

[Unit]
Description=In-memory logging

[Service]
DynamicUser=true
Group=adm
RuntimeDirectory=circolog
# this is important: circologd will respect umask, so if you want to have files that are not world-readable, you must set it
RuntimeDirectoryMode=0750
UMask=0026
ProtectSystem=full
ExecStart=/usr/local/sbin/circologd -syslogd-socket /run/circolog/syslog.sock  -buffer-size 2000 -query-socket /run/circolog/query.sock
# security restrictions; useful, but not needed
PrivateTmp=true
PrivateNetwork=true
NoNewPrivileges=true
Restrictnamespaces=true

#optional: watchdog
WatchdogSec=30

[Install]
WantedBy=multi-user.target

Journald

None of those are integrated with journald, however. The simplest way to integrate with journald is the following.

First of all, ensure ForwardToSyslog=yes in /etc/systemd/journald.conf. Then, you need to run circologd as root and bind it to a special address. Ok, you don't strictly need to run it as root, but that's the easiest way to run it. Here is a working unit for this:

[Unit]
Description=In-memory logging

[Service]
User=root
Group=adm
ExecStart=/usr/local/sbin/circologd -syslogd-socket /run/systemd/journal/syslog -buffer-size 2000 -query-socket /run/circolog/query.sock

[Install]
WantedBy=multi-user.target

journald with socket activation

To run circologd as non-root, while listening on a root-owned socket (/run/systemd/journal/syslog) use socket activation. Create a unit in /etc/systemd/system/circolog.service:

[Unit]
Description=In-memory logging

[Service]
User=nobody
Group=nogroup
ExecStart=/usr/local/sbin/circologd -syslogd-socket "" -buffer-size 2000 -query-socket /run/circolog/query.sock

[Install]
WantedBy=multi-user.target

Then symlink the syslog.service unit to the newly created one:

ln -sf /etc/systemd/system/circolog.service /etc/systemd/system/syslog.service

and restart the service:

systemctl daemon-reload
systemctl restart syslog.service

Now circolog is activated and receives messages from journald.