|
HTML rendering created 2025-02-02 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | SYNOPSIS | DESCRIPTION | CONFIGURATION DIRECTORIES AND PRECEDENCE | OPTIONS | FORWARDING TO TRADITIONAL SYSLOG DAEMONS | SEE ALSO | NOTES | COLOPHON |
|
|
|
JOURNALD.CONF(5) journald.conf JOURNALD.CONF(5)
journald.conf, journald.conf.d, journald@.conf - Journal service
configuration files
/etc/systemd/journald.conf
/run/systemd/journald.conf
/usr/local/lib/systemd/journald.conf
/usr/lib/systemd/journald.conf
/etc/systemd/journald.conf.d/*.conf
/run/systemd/journald.conf.d/*.conf
/usr/local/lib/systemd/journald.conf.d/*.conf
/usr/lib/systemd/journald.conf.d/*.conf
/etc/systemd/journald@NAMESPACE.conf
/etc/systemd/journald@NAMESPACE.conf.d/*.conf
/run/systemd/journald@NAMESPACE.conf.d/*.conf
/usr/local/lib/systemd/journald@NAMESPACE.conf.d/*.conf
/usr/lib/systemd/journald@NAMESPACE.conf.d/*.conf
These files configure various parameters of the systemd journal
service, systemd-journald.service(8). See systemd.syntax(7) for a
general description of the syntax.
The systemd-journald instance managing the default namespace is
configured by /etc/systemd/journald.conf and associated drop-ins.
Instances managing other namespaces read
/etc/systemd/journald@NAMESPACE.conf and associated drop-ins with
the namespace identifier filled in. This allows each namespace to
carry a distinct configuration. See systemd-journald.service(8)
for details about journal namespaces.
The default configuration is set during compilation, so
configuration is only needed when it is necessary to deviate from
those defaults. The main configuration file is loaded from one of
the listed directories in order of priority, only the first file
found is used: /etc/systemd/, /run/systemd/,
/usr/local/lib/systemd/ [1], /usr/lib/systemd/. The vendor version
of the file contains commented out entries showing the defaults as
a guide to the administrator. Local overrides can also be created
by creating drop-ins, as described below. The main configuration
file can also be edited for this purpose (or a copy in /etc/ if it
is shipped under /usr/), however using drop-ins for local
configuration is recommended over modifications to the main
configuration file.
In addition to the main configuration file, drop-in configuration
snippets are read from /usr/lib/systemd/*.conf.d/,
/usr/local/lib/systemd/*.conf.d/, and /etc/systemd/*.conf.d/.
Those drop-ins have higher precedence and override the main
configuration file. Files in the *.conf.d/ configuration
subdirectories are sorted by their filename in lexicographic
order, regardless of in which of the subdirectories they reside.
When multiple files specify the same option, for options which
accept just a single value, the entry in the file sorted last
takes precedence, and for options which accept a list of values,
entries are collected as they occur in the sorted files.
When packages need to customize the configuration, they can
install drop-ins under /usr/. Files in /etc/ are reserved for the
local administrator, who may use this logic to override the
configuration files installed by vendor packages. Drop-ins have to
be used to override package drop-ins, since the main configuration
file has lower precedence. It is recommended to prefix all
filenames in those subdirectories with a two-digit number and a
dash, to simplify the ordering. This also defines a concept of
drop-in priorities to allow OS vendors to ship drop-ins within a
specific range lower than the range used by users. This should
lower the risk of package drop-ins overriding accidentally
drop-ins defined by users. It is recommended to use the range
10-40 for drop-ins in /usr/ and the range 60-90 for drop-ins in
/etc/ and /run/, to make sure that local and transient drop-ins
take priority over drop-ins shipped by the OS vendor.
To disable a configuration file supplied by the vendor, the
recommended way is to place a symlink to /dev/null in the
configuration directory in /etc/, with the same filename as the
vendor configuration file.
All options are configured in the [Journal] section:
Storage=
Controls where to store journal data. One of "volatile",
"persistent", "auto" and "none". If "volatile", journal log
data will be stored only in memory, i.e. below the
/run/log/journal hierarchy (which is created if needed). If
"persistent", data will be stored preferably on disk, i.e.
below the /var/log/journal hierarchy (which is created if
needed), with a fallback to /run/log/journal (which is created
if needed), during early boot and if the disk is not writable.
"auto" behaves like "persistent" if the /var/log/journal
directory exists, and "volatile" otherwise (the existence of
the directory controls the storage mode). "none" turns off
all storage, all log data received will be dropped (but
forwarding to other targets, such as the console, the kernel
log buffer, or a syslog socket will still work). Defaults to
"auto" in the default journal namespace, and "persistent" in
all others.
Note that journald will initially use volatile storage, until
a call to journalctl --flush (or sending SIGUSR1 to journald)
will cause it to switch to persistent logging (under the
conditions mentioned above). This is done automatically on
boot via "systemd-journal-flush.service".
Note that when this option is changed to "volatile", existing
persistent data is not removed. In the other direction,
journalctl(1) with the --flush option may be used to move
volatile data to persistent storage.
When journal namespacing (see LogNamespace= in
systemd.exec(5)) is used, setting Storage= to "volatile" or
"auto" will not have an effect on the creation of the
per-namespace logs directory in /var/log/journal/, as the
systemd-journald@.service service file by default carries
LogsDirectory=. To turn that off, add a unit file drop-in file
that sets LogsDirectory= to an empty string.
Note that per-user journal files are not supported unless
persistent storage is enabled, thus making journalctl --user
unavailable.
The storage to use can also be specified via the
"journal.storage" credential. Values configured via
configuration files take priority over values configured via
the credential.
Added in version 186.
Compress=
Can take a boolean value. If enabled (the default), data
objects that shall be stored in the journal and are larger
than the default threshold of 512 bytes are compressed before
they are written to the file system. It can also be set to a
number of bytes to specify the compression threshold directly.
Suffixes like K, M, and G can be used to specify larger units.
Seal=
Takes a boolean value. If enabled (the default), and a sealing
key is available (as created by journalctl(1)'s --setup-keys
command), Forward Secure Sealing (FSS) for all persistent
journal files is enabled. FSS is based on Seekable Sequential
Key Generators[2] by G. A. Marson and B. Poettering
(doi:10.1007/978-3-642-40203-6_7) and may be used to protect
journal files from unnoticed alteration.
Added in version 189.
SplitMode=
Controls whether to split up journal files per user, either
"uid" or "none". Split journal files are primarily useful for
access control: on UNIX/Linux access control is managed per
file, and the journal daemon will assign users read access to
their journal files. If "uid", all regular users (with UID
outside the range of system users, dynamic service users, and
the nobody user) will each get their own journal files, and
system users will log to the system journal. See Users,
Groups, UIDs and GIDs on systemd systems[3] for more details
about UID ranges. If "none", journal files are not split up by
user and all messages are instead stored in the single system
journal. In this mode unprivileged users generally do not have
access to their own log data. Note that splitting up journal
files by user is only available for journals stored
persistently. If journals are stored on volatile storage (see
Storage= above), only a single journal file is used. Defaults
to "uid".
Added in version 190.
RateLimitIntervalSec=, RateLimitBurst=
Configures the rate limiting that is applied to all messages
generated on the system. If, in the time interval defined by
RateLimitIntervalSec=, more messages than specified in
RateLimitBurst= are logged by a service, all further messages
within the interval are dropped until the interval is over. A
message about the number of dropped messages is generated.
This rate limiting is applied per-service, so that two
services which log do not interfere with each other's limits.
Defaults to 10000 messages in 30s. The time specification for
RateLimitIntervalSec= may be specified in the following units:
"s", "min", "h", "ms", "us". To turn off any kind of rate
limiting, set either value to 0.
Note that the effective rate limit is multiplied by a factor
derived from the available free disk space for the journal.
Currently, this factor is calculated using the base 2
logarithm.
Table 1. Example RateLimitBurst= rate modifications by the
available disk space
┌──────────────────────┬──────────────────┐
│ Available Disk Space │ Burst Multiplier │
├──────────────────────┼──────────────────┤
│ <= 1MB │ 1 │
├──────────────────────┼──────────────────┤
│ <= 16MB │ 2 │
├──────────────────────┼──────────────────┤
│ <= 256MB │ 3 │
├──────────────────────┼──────────────────┤
│ <= 4GB │ 4 │
├──────────────────────┼──────────────────┤
│ <= 64GB │ 5 │
├──────────────────────┼──────────────────┤
│ <= 1TB │ 6 │
└──────────────────────┴──────────────────┘
If a service provides rate limits for itself through
LogRateLimitIntervalSec= and/or LogRateLimitBurst= in
systemd.exec(5), those values will override the settings
specified here.
SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=,
SystemMaxFiles=, RuntimeMaxUse=, RuntimeKeepFree=,
RuntimeMaxFileSize=, RuntimeMaxFiles=
Enforce size limits on the journal files stored. The options
prefixed with "System" apply to the journal files when stored
on a persistent file system, more specifically
/var/log/journal. The options prefixed with "Runtime" apply to
the journal files when stored on a volatile in-memory file
system, more specifically /run/log/journal. The former is used
only when /var/ is mounted, writable, and the directory
/var/log/journal exists. Otherwise, only the latter applies.
Note that this means that during early boot and if the
administrator disabled persistent logging, only the latter
options apply, while the former apply if persistent logging is
enabled and the system is fully booted up. journalctl and
systemd-journald ignore all files with names not ending with
".journal" or ".journal~", so only such files, located in the
appropriate directories, are taken into account when
calculating current disk usage.
SystemMaxUse= and RuntimeMaxUse= control how much disk space
the journal may use up at most. SystemKeepFree= and
RuntimeKeepFree= control how much disk space systemd-journald
shall leave free for other uses. systemd-journald will
respect both limits and use the smaller of the two values.
The first pair defaults to 10% and the second to 15% of the
size of the respective file system, but each value is capped
to 4G. If the file system is nearly full and either
SystemKeepFree= or RuntimeKeepFree= are violated when
systemd-journald is started, the limit will be raised to the
percentage that is actually free. This means that if there was
enough free space before and journal files were created, and
subsequently something else causes the file system to fill up,
journald will stop using more space, but it will not be
removing existing files to reduce the footprint again, either.
Also note that only archived files are deleted to reduce the
space occupied by journal files. This means that, in effect,
there might still be more space used than SystemMaxUse= or
RuntimeMaxUse= limit after a vacuuming operation is complete.
SystemMaxFileSize= and RuntimeMaxFileSize= control how large
individual journal files may grow at most. This influences the
granularity in which disk space is made available through
rotation, i.e. deletion of historic data. Defaults to one
eighth of the values configured with SystemMaxUse= and
RuntimeMaxUse= capped to 128M, so that usually seven rotated
journal files are kept as history. If the journal compact mode
is enabled (enabled by default), the maximum file size is
capped to 4G.
Specify values in bytes or use K, M, G, T, P, E as units for
the specified sizes (equal to 1024, 1024², ... bytes). Note
that size limits are enforced synchronously when journal files
are extended, and no explicit rotation step triggered by time
is needed.
SystemMaxFiles= and RuntimeMaxFiles= control how many
individual journal files to keep at most. Note that only
archived files are deleted to reduce the number of files until
this limit is reached; active files will stay around. This
means that, in effect, there might still be more journal files
around in total than this limit after a vacuuming operation is
complete. This setting defaults to 100.
MaxFileSec=
The maximum time to store entries in a single journal file
before rotating to the next one. Normally, time-based rotation
should not be required as size-based rotation with options
such as SystemMaxFileSize= should be sufficient to ensure that
journal files do not grow without bounds. However, to ensure
that not too much data is lost at once when old journal files
are deleted, it might make sense to change this value from the
default of one month. Set to 0 to turn off this feature. This
setting takes time values which may be suffixed with the units
"year", "month", "week", "day", "h" or "m" to override the
default time unit of seconds.
Added in version 195.
MaxRetentionSec=
The maximum time to store journal entries. This controls
whether journal files containing entries older than the
specified time span are deleted. Normally, time-based deletion
of old journal files should not be required as size-based
deletion with options such as SystemMaxUse= should be
sufficient to ensure that journal files do not grow without
bounds. However, to enforce data retention policies, it might
make sense to change this value from the default of 0 (which
turns off this feature). This setting also takes time values
which may be suffixed with the units "year", "month", "week",
"day", "h" or " m" to override the default time unit of
seconds.
Added in version 195.
SyncIntervalSec=
The timeout before synchronizing journal files to disk. After
syncing, journal files are placed in the OFFLINE state. Note
that syncing is unconditionally done immediately after a log
message of priority CRIT, ALERT or EMERG has been logged. This
setting hence applies only to messages of the levels ERR,
WARNING, NOTICE, INFO, DEBUG. The default timeout is 5
minutes.
Added in version 199.
ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=,
ForwardToWall=, ForwardToSocket=
Control whether log messages received by the journal daemon
shall be forwarded to a traditional syslog daemon, to the
kernel log buffer (kmsg), to the system console, sent as wall
messages to all logged-in users or sent over a socket. These
options take boolean arguments except for "ForwardToSocket="
which takes an address instead. If forwarding to syslog is
enabled but nothing reads messages from the socket, forwarding
to syslog has no effect. By default, only forwarding to wall
is enabled. These settings may be overridden at boot time with
the kernel command line options
"systemd.journald.forward_to_syslog",
"systemd.journald.forward_to_kmsg",
"systemd.journald.forward_to_console", and
"systemd.journald.forward_to_wall". If the option name is
specified without "=" and the following argument, true is
assumed. Otherwise, the argument is parsed as a boolean.
The socket forwarding address can be specified with the
credential "journal.forward_to_socket". The following socket
types are supported:
AF_INET (e.g. "192.168.0.11:4444"), AF_INET6 (e.g.
"[2001:db8::ff00:42:8329]:4444"), AF_UNIX (e.g.
"/run/host/journal/socket"), AF_VSOCK (e.g. "vsock:2:1234")
When forwarding to the console, the TTY to log to can be
changed with TTYPath=, described below.
When forwarding to the kernel log buffer (kmsg), make sure to
select a suitably large size for the log buffer, for example
by adding "log_buf_len=8M" to the kernel command line.
systemd will automatically disable kernel's rate-limiting
applied to userspace processes (equivalent to setting
"printk.devkmsg=on").
When forwarding over a socket the Journal Export Format[4] is
used when sending over the wire. Notably this includes the
metadata field __REALTIME_TIMESTAMP so that
systemd-journal-remote (see systemd-journal-remote.service(8))
can be used to receive the forwarded journal entries.
Note: Forwarding is performed synchronously within journald,
and may significantly affect its performance. This is
particularly relevant when using ForwardToConsole=yes in cloud
environments, where the console is often a slow, virtual
serial port. Since journald is implemented as a conventional
single-process daemon, forwarding to a completely hung console
will block journald. This can have a cascading effect
resulting in any services synchronously logging to the blocked
journal also becoming blocked. Unless actively
debugging/developing something, it is generally preferable to
setup a journalctl --follow style service redirected to the
console, instead of ForwardToConsole=yes, for production use.
Note: Using ForwardToSocket= over IPv4/IPv6 links can be very
slow due to the synchronous nature of the sockets. Take care
to ensure your link is a low-latency local link if possible.
Typically IP networking is not available everywhere journald
runs, e.g. in the initrd during boot. Consider using
AF_VSOCK/AF_UNIX sockets for this if possible.
MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=,
MaxLevelWall=, MaxLevelSocket=
Controls the maximum log level of messages that are stored in
the journal, forwarded to syslog, kmsg, the console, the wall,
or a socket (if that is enabled, see above). As argument,
takes one of "emerg", "alert", "crit", "err", "warning",
"notice", "info", "debug", or integer values in the range of
0–7 (corresponding to the same levels). Messages equal or
below the log level specified are stored/forwarded, messages
above are dropped. Defaults to "debug" for MaxLevelStore=,
MaxLevelSyslog= and MaxLevelSocket=, to ensure that the all
messages are stored in the journal, forwarded to syslog and
the socket if one exists. Defaults to "notice" for
MaxLevelKMsg=, "info" for MaxLevelConsole=, and "emerg" for
MaxLevelWall=. These settings may be overridden at boot time
with the kernel command line options
"systemd.journald.max_level_store=",
"systemd.journald.max_level_syslog=",
"systemd.journald.max_level_kmsg=",
"systemd.journald.max_level_console=",
"systemd.journald.max_level_wall=",
"systemd.journald.max_level_socket=".
Added in version 185.
ReadKMsg=
Takes a boolean value. If enabled systemd-journal processes
/dev/kmsg messages generated by the kernel. In the default
journal namespace this option is enabled by default, it is
disabled in all others.
Added in version 235.
Audit=
Takes a boolean value. If enabled systemd-journald will turn
on kernel auditing on start-up. If disabled it will turn it
off. If unset it will neither enable nor disable it, leaving
the previous state unchanged. This means if another tool turns
on auditing even if systemd-journald left it off, it will
still collect the generated messages. Defaults to on.
Note that this option does not control whether
systemd-journald collects generated audit records, it just
controls whether it tells the kernel to generate them. If you
need to prevent systemd-journald from collecting the generated
messages, the socket unit "systemd-journald-audit.socket" can
be disabled and, in this case, this setting is without effect.
Added in version 246.
TTYPath=
Change the console TTY to use if ForwardToConsole=yes is used.
Defaults to /dev/console.
Added in version 185.
LineMax=
The maximum line length to permit when converting stream logs
into record logs. When a systemd unit's standard output/error
are connected to the journal via a stream socket, the data
read is split into individual log records at newline ("\n",
ASCII 10) and NUL characters. If no such delimiter is read for
the specified number of bytes a hard log record boundary is
artificially inserted, breaking up overly long lines into
multiple log records. Selecting overly large values increases
the possible memory usage of the Journal daemon for each
stream client, as in the worst case the journal daemon needs
to buffer the specified number of bytes in memory before it
can flush a new log record to disk. Also note that permitting
overly large line maximum line lengths affects compatibility
with traditional log protocols as log records might not fit
anymore into a single AF_UNIX or AF_INET datagram. Takes a
size in bytes. If the value is suffixed with K, M, G or T, the
specified size is parsed as Kilobytes, Megabytes, Gigabytes,
or Terabytes (with the base 1024), respectively. Defaults to
48K, which is relatively large but still small enough so that
log records likely fit into network datagrams along with extra
room for metadata. Note that values below 79 are not accepted
and will be bumped to 79.
Added in version 235.
Journal events can be transferred to a different logging daemon in
two different ways. With the first method, messages are
immediately forwarded to a socket (/run/systemd/journal/syslog),
where the traditional syslog daemon can read them. This method is
controlled by the ForwardToSyslog= option. With a second method, a
syslog daemon behaves like a normal journal client, and reads
messages from the journal files, similarly to journalctl(1). With
this, messages do not have to be read immediately, which allows a
logging daemon which is only started late in boot to access all
messages since the start of the system. In addition, full
structured meta-data is available to it. This method of course is
available only if the messages are stored in a journal file at
all. So it will not work if Storage=none is set. It should be
noted that usually the second method is used by syslog daemons, so
the Storage= option, and not the ForwardToSyslog= option, is
relevant for them.
systemd(1), systemd-journald.service(8), journalctl(1),
systemd.journal-fields(7), systemd-system.conf(5)
1. 💣💥🧨💥💥💣 Please note that those configuration files must
be available at all times. If /usr/local/ is a separate
partition, it may not be available during early boot, and must
not be used for configuration.
2. Seekable Sequential Key Generators
https://eprint.iacr.org/2013/397
3. Users, Groups, UIDs and GIDs on systemd systems
https://systemd.io/UIDS-GIDS
4. Journal Export Format
https://systemd.io/JOURNAL_EXPORT_FORMATS/#journal-export-format
This page is part of the systemd (systemd system and service
manager) project. Information about the project can be found at
⟨http://www.freedesktop.org/wiki/Software/systemd⟩. If you have a
bug report for this manual page, see
⟨http://www.freedesktop.org/wiki/Software/systemd/#bugreports⟩.
This page was obtained from the project's upstream Git repository
⟨https://github.com/systemd/systemd.git⟩ on 2025-02-02. (At that
time, the date of the most recent commit that was found in the
repository was 2025-02-02.) If you discover any rendering
problems in this HTML version of the page, or you believe there is
a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to
man-pages@man7.org
systemd 258~devel JOURNALD.CONF(5)
Pages that refer to this page: journalctl(1), coredump.conf(5), journal-remote.conf(5), systemd.exec(5), systemd.directives(7), systemd.index(7), systemd.journal-fields(7), systemd.syntax(7), systemd.system-credentials(7), systemd-journald.service(8)
|
HTML rendering created 2025-02-02 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|