diff --git a/deploy/files/usr/local/lib/systemd/system/left4me-web.service b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
index 52f869e..ef034b0 100644
--- a/deploy/files/usr/local/lib/systemd/system/left4me-web.service
+++ b/deploy/files/usr/local/lib/systemd/system/left4me-web.service
@@ -50,8 +50,12 @@ ProtectHome=true
 PrivateTmp=true
 
 # === /proc + kernel ===
+# Note: ProcSubset=pid is intentionally NOT set on the web unit.
+# It hides /proc/sys/kernel/random/boot_id which journalctl reads at
+# startup, and the web invokes `sudo -n left4me-journalctl` to stream
+# live server logs into the UI. The server unit can keep ProcSubset=pid
+# because srcds doesn't shell out to journalctl.
 ProtectProc=invisible                 # foreign-uid /proc hidden (defense: D4)
-ProcSubset=pid
 ProtectKernelTunables=true
 ProtectKernelModules=true
 ProtectKernelLogs=true