1JOURNALD.CONF(5) journald.conf JOURNALD.CONF(5)
2
3
4
6 journald.conf, journald.conf.d - Journal service configuration files
7
9 /etc/systemd/journald.conf
10
11 /etc/systemd/journald.conf.d/*.conf
12
13 /run/systemd/journald.conf.d/*.conf
14
15 /usr/lib/systemd/journald.conf.d/*.conf
16
18 These files configure various parameters of the systemd journal
19 service, systemd-journald.service(8). See systemd.syntax(5) for a
20 general description of the syntax.
21
23 The default configuration is defined during compilation, so a
24 configuration file is only needed when it is necessary to deviate from
25 those defaults. By default, the configuration file in /etc/systemd/
26 contains commented out entries showing the defaults as a guide to the
27 administrator. This file can be edited to create local overrides.
28
29 When packages need to customize the configuration, they can install
30 configuration snippets in /usr/lib/systemd/*.conf.d/. Files in /etc/
31 are reserved for the local administrator, who may use this logic to
32 override the configuration files installed by vendor packages. The main
33 configuration file is read before any of the configuration directories,
34 and has the lowest precedence; entries in a file in any configuration
35 directory override entries in the single configuration file. Files in
36 the *.conf.d/ configuration subdirectories are sorted by their filename
37 in lexicographic order, regardless of which of the subdirectories they
38 reside in. When multiple files specify the same option, for options
39 which accept just a single value, the entry in the file with the
40 lexicographically latest name takes precedence. For options which
41 accept a list of values, entries are collected as they occur in files
42 sorted lexicographically. It is recommended to prefix all filenames in
43 those subdirectories with a two-digit number and a dash, to simplify
44 the ordering of the files.
45
46 To disable a configuration file supplied by the vendor, the recommended
47 way is to place a symlink to /dev/null in the configuration directory
48 in /etc/, with the same filename as the vendor configuration file.
49
51 All options are configured in the "[Journal]" section:
52
53 Storage=
54 Controls where to store journal data. One of "volatile",
55 "persistent", "auto" and "none". If "volatile", journal log data
56 will be stored only in memory, i.e. below the /run/log/journal
57 hierarchy (which is created if needed). If "persistent", data will
58 be stored preferably on disk, i.e. below the /var/log/journal
59 hierarchy (which is created if needed), with a fallback to
60 /run/log/journal (which is created if needed), during early boot
61 and if the disk is not writable. "auto" is similar to "persistent"
62 but the directory /var/log/journal is not created if needed, so
63 that its existence controls where log data goes. "none" turns off
64 all storage, all log data received will be dropped. Forwarding to
65 other targets, such as the console, the kernel log buffer, or a
66 syslog socket will still work however. Defaults to "auto".
67
68 Compress=
69 Can take a boolean value. If enabled (the default), data objects
70 that shall be stored in the journal and are larger than the default
71 threshold of 512 bytes are compressed before they are written to
72 the file system. It can also be set to a number of bytes to specify
73 the compression threshold directly. Suffixes like K, M, and G can
74 be used to specify larger units.
75
76 Seal=
77 Takes a boolean value. If enabled (the default), and a sealing key
78 is available (as created by journalctl(1)'s --setup-keys command),
79 Forward Secure Sealing (FSS) for all persistent journal files is
80 enabled. FSS is based on Seekable Sequential Key Generators[1] by
81 G. A. Marson and B. Poettering (doi:10.1007/978-3-642-40203-6_7)
82 and may be used to protect journal files from unnoticed alteration.
83
84 SplitMode=
85 Controls whether to split up journal files per user, either "uid"
86 or "none". Split journal files are primarily useful for access
87 control: on UNIX/Linux access control is managed per file, and the
88 journal daemon will assign users read access to their journal
89 files. If "uid", all regular users will each get their own journal
90 files, and system users will log to the system journal. If "none",
91 journal files are not split up by user and all messages are instead
92 stored in the single system journal. In this mode unprivileged
93 users generally do not have access to their own log data. Note that
94 splitting up journal files by user is only available for journals
95 stored persistently. If journals are stored on volatile storage
96 (see Storage= above), only a single journal file is used. Defaults
97 to "uid".
98
99 RateLimitIntervalSec=, RateLimitBurst=
100 Configures the rate limiting that is applied to all messages
101 generated on the system. If, in the time interval defined by
102 RateLimitIntervalSec=, more messages than specified in
103 RateLimitBurst= are logged by a service, all further messages
104 within the interval are dropped until the interval is over. A
105 message about the number of dropped messages is generated. This
106 rate limiting is applied per-service, so that two services which
107 log do not interfere with each other's limits. Defaults to 10000
108 messages in 30s. The time specification for RateLimitIntervalSec=
109 may be specified in the following units: "s", "min", "h", "ms",
110 "us". To turn off any kind of rate limiting, set either value to 0.
111
112 If a service provides rate limits for itself through
113 LogRateLimitIntervalSec= and/or LogRateLimitBurst= in
114 systemd.exec(5), those values will override the settings specified
115 here.
116
117 SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, SystemMaxFiles=,
118 RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize=, RuntimeMaxFiles=
119 Enforce size limits on the journal files stored. The options
120 prefixed with "System" apply to the journal files when stored on a
121 persistent file system, more specifically /var/log/journal. The
122 options prefixed with "Runtime" apply to the journal files when
123 stored on a volatile in-memory file system, more specifically
124 /run/log/journal. The former is used only when /var is mounted,
125 writable, and the directory /var/log/journal exists. Otherwise,
126 only the latter applies. Note that this means that during early
127 boot and if the administrator disabled persistent logging, only the
128 latter options apply, while the former apply if persistent logging
129 is enabled and the system is fully booted up. journalctl and
130 systemd-journald ignore all files with names not ending with
131 ".journal" or ".journal~", so only such files, located in the
132 appropriate directories, are taken into account when calculating
133 current disk usage.
134
135 SystemMaxUse= and RuntimeMaxUse= control how much disk space the
136 journal may use up at most. SystemKeepFree= and RuntimeKeepFree=
137 control how much disk space systemd-journald shall leave free for
138 other uses. systemd-journald will respect both limits and use the
139 smaller of the two values.
140
141 The first pair defaults to 10% and the second to 15% of the size of
142 the respective file system, but each value is capped to 4G. If the
143 file system is nearly full and either SystemKeepFree= or
144 RuntimeKeepFree= are violated when systemd-journald is started, the
145 limit will be raised to the percentage that is actually free. This
146 means that if there was enough free space before and journal files
147 were created, and subsequently something else causes the file
148 system to fill up, journald will stop using more space, but it will
149 not be removing existing files to reduce the footprint again,
150 either. Also note that only archived files are deleted to reduce
151 the space occupied by journal files. This means that, in effect,
152 there might still be more space used than SystemMaxUse= or
153 RuntimeMaxUse= limit after a vacuuming operation is complete.
154
155 SystemMaxFileSize= and RuntimeMaxFileSize= control how large
156 individual journal files may grow at most. This influences the
157 granularity in which disk space is made available through rotation,
158 i.e. deletion of historic data. Defaults to one eighth of the
159 values configured with SystemMaxUse= and RuntimeMaxUse=, so that
160 usually seven rotated journal files are kept as history.
161
162 Specify values in bytes or use K, M, G, T, P, E as units for the
163 specified sizes (equal to 1024, 1024², ... bytes). Note that size
164 limits are enforced synchronously when journal files are extended,
165 and no explicit rotation step triggered by time is needed.
166
167 SystemMaxFiles= and RuntimeMaxFiles= control how many individual
168 journal files to keep at most. Note that only archived files are
169 deleted to reduce the number of files until this limit is reached;
170 active files will stay around. This means that, in effect, there
171 might still be more journal files around in total than this limit
172 after a vacuuming operation is complete. This setting defaults to
173 100.
174
175 MaxFileSec=
176 The maximum time to store entries in a single journal file before
177 rotating to the next one. Normally, time-based rotation should not
178 be required as size-based rotation with options such as
179 SystemMaxFileSize= should be sufficient to ensure that journal
180 files do not grow without bounds. However, to ensure that not too
181 much data is lost at once when old journal files are deleted, it
182 might make sense to change this value from the default of one
183 month. Set to 0 to turn off this feature. This setting takes time
184 values which may be suffixed with the units "year", "month",
185 "week", "day", "h" or "m" to override the default time unit of
186 seconds.
187
188 MaxRetentionSec=
189 The maximum time to store journal entries. This controls whether
190 journal files containing entries older than the specified time span
191 are deleted. Normally, time-based deletion of old journal files
192 should not be required as size-based deletion with options such as
193 SystemMaxUse= should be sufficient to ensure that journal files do
194 not grow without bounds. However, to enforce data retention
195 policies, it might make sense to change this value from the default
196 of 0 (which turns off this feature). This setting also takes time
197 values which may be suffixed with the units "year", "month",
198 "week", "day", "h" or " m" to override the default time unit of
199 seconds.
200
201 SyncIntervalSec=
202 The timeout before synchronizing journal files to disk. After
203 syncing, journal files are placed in the OFFLINE state. Note that
204 syncing is unconditionally done immediately after a log message of
205 priority CRIT, ALERT or EMERG has been logged. This setting hence
206 applies only to messages of the levels ERR, WARNING, NOTICE, INFO,
207 DEBUG. The default timeout is 5 minutes.
208
209 ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=, ForwardToWall=
210 Control whether log messages received by the journal daemon shall
211 be forwarded to a traditional syslog daemon, to the kernel log
212 buffer (kmsg), to the system console, or sent as wall messages to
213 all logged-in users. These options take boolean arguments. If
214 forwarding to syslog is enabled but nothing reads messages from the
215 socket, forwarding to syslog has no effect. By default, only
216 forwarding to wall is enabled. These settings may be overridden at
217 boot time with the kernel command line options
218 "systemd.journald.forward_to_syslog",
219 "systemd.journald.forward_to_kmsg",
220 "systemd.journald.forward_to_console", and
221 "systemd.journald.forward_to_wall". If the option name is specified
222 without "=" and the following argument, true is assumed. Otherwise,
223 the argument is parsed as a boolean. When forwarding to the
224 console, the TTY to log to can be changed with TTYPath=, described
225 below.
226
227 MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=,
228 MaxLevelWall=
229 Controls the maximum log level of messages that are stored on disk,
230 forwarded to syslog, kmsg, the console or wall (if that is enabled,
231 see above). As argument, takes one of "emerg", "alert", "crit",
232 "err", "warning", "notice", "info", "debug", or integer values in
233 the range of 0–7 (corresponding to the same levels). Messages equal
234 or below the log level specified are stored/forwarded, messages
235 above are dropped. Defaults to "debug" for MaxLevelStore= and
236 MaxLevelSyslog=, to ensure that the all messages are written to
237 disk and forwarded to syslog. Defaults to "notice" for
238 MaxLevelKMsg=, "info" for MaxLevelConsole=, and "emerg" for
239 MaxLevelWall=. These settings may be overridden at boot time with
240 the kernel command line options
241 "systemd.journald.max_level_store=",
242 "systemd.journald.max_level_syslog=",
243 "systemd.journald.max_level_kmsg=",
244 "systemd.journald.max_level_console=",
245 "systemd.journald.max_level_wall=".
246
247 ReadKMsg=
248 Takes a boolean value. If enabled (the default), journal reads
249 /dev/kmsg messages generated by the kernel.
250
251 TTYPath=
252 Change the console TTY to use if ForwardToConsole=yes is used.
253 Defaults to /dev/console.
254
255 LineMax=
256 The maximum line length to permit when converting stream logs into
257 record logs. When a systemd unit's standard output/error are
258 connected to the journal via a stream socket, the data read is
259 split into individual log records at newline ("\n", ASCII 10) and
260 NUL characters. If no such delimiter is read for the specified
261 number of bytes a hard log record boundary is artificially
262 inserted, breaking up overly long lines into multiple log records.
263 Selecting overly large values increases the possible memory usage
264 of the Journal daemon for each stream client, as in the worst case
265 the journal daemon needs to buffer the specified number of bytes in
266 memory before it can flush a new log record to disk. Also note that
267 permitting overly large line maximum line lengths affects
268 compatibility with traditional log protocols as log records might
269 not fit anymore into a single AF_UNIX or AF_INET datagram. Takes a
270 size in bytes. If the value is suffixed with K, M, G or T, the
271 specified size is parsed as Kilobytes, Megabytes, Gigabytes, or
272 Terabytes (with the base 1024), respectively. Defaults to 48K,
273 which is relatively large but still small enough so that log
274 records likely fit into network datagrams along with extra room for
275 metadata. Note that values below 79 are not accepted and will be
276 bumped to 79.
277
279 Journal events can be transferred to a different logging daemon in two
280 different ways. With the first method, messages are immediately
281 forwarded to a socket (/run/systemd/journal/syslog), where the
282 traditional syslog daemon can read them. This method is controlled by
283 the ForwardToSyslog= option. With a second method, a syslog daemon
284 behaves like a normal journal client, and reads messages from the
285 journal files, similarly to journalctl(1). With this, messages do not
286 have to be read immediately, which allows a logging daemon which is
287 only started late in boot to access all messages since the start of the
288 system. In addition, full structured meta-data is available to it. This
289 method of course is available only if the messages are stored in a
290 journal file at all. So it will not work if Storage=none is set. It
291 should be noted that usually the second method is used by syslog
292 daemons, so the Storage= option, and not the ForwardToSyslog= option,
293 is relevant for them.
294
296 systemd(1), systemd-journald.service(8), journalctl(1),
297 systemd.journal-fields(7), systemd-system.conf(5)
298
300 1. Seekable Sequential Key Generators
301 https://eprint.iacr.org/2013/397
302
303
304
305systemd 241 JOURNALD.CONF(5)