1SYSTEMD-JOURNALD.SERVICE(8)systemd-journald.serviceSYSTEMD-JOURNALD.SERVICE(8)
2
3
4
6 systemd-journald.service, systemd-journald.socket, systemd-journald-
7 dev-log.socket, systemd-journald-audit.socket, systemd-
8 journald@.service, systemd-journald@.socket, systemd-journald-
9 varlink@.socket, systemd-journald - Journal service
10
12 systemd-journald.service
13
14 systemd-journald.socket
15
16 systemd-journald-dev-log.socket
17
18 systemd-journald-audit.socket
19
20 systemd-journald@.service
21
22 systemd-journald@.socket
23
24 systemd-journald-varlink@.socket
25
26 /usr/lib/systemd/systemd-journald
27
29 systemd-journald is a system service that collects and stores logging
30 data. It creates and maintains structured, indexed journals based on
31 logging information that is received from a variety of sources:
32
33 · Kernel log messages, via kmsg
34
35 · Simple system log messages, via the libc syslog(3) call
36
37 · Structured system log messages via the native Journal API, see
38 sd_journal_print(3)
39
40 · Standard output and standard error of service units. For further
41 details see below.
42
43 · Audit records, originating from the kernel audit subsystem
44
45 The daemon will implicitly collect numerous metadata fields for each
46 log messages in a secure and unfakeable way. See systemd.journal-
47 fields(7) for more information about the collected metadata.
48
49 Log data collected by the journal is primarily text-based but can also
50 include binary data where necessary. Individual fields making up a log
51 record stored in the journal may be up to 2^64-1 bytes in size.
52
53 The journal service stores log data either persistently below
54 /var/log/journal or in a volatile way below /run/log/journal/ (in the
55 latter case it is lost at reboot). By default, log data is stored
56 persistently if /var/log/journal/ exists during boot, with an implicit
57 fallback to volatile storage otherwise. Use Storage= in
58 journald.conf(5) to configure where log data is placed, independently
59 of the existence of /var/log/journal/.
60
61 On systems where /var/log/journal/ does not exist yet but where
62 persistent logging is desired (and the default journald.conf is used),
63 it is sufficient to create the directory, and ensure it has the correct
64 access modes and ownership:
65
66 mkdir -p /var/log/journal
67 systemd-tmpfiles --create --prefix /var/log/journal
68
69 See journald.conf(5) for information about the configuration of this
70 service.
71
73 The systemd service manager invokes all service processes with standard
74 output and standard error connected to the journal by default. This
75 behaviour may be altered via the StandardOutput=/StandardError= unit
76 file settings, see systemd.exec(5) for details. The journal converts
77 the log byte stream received this way into individual log records,
78 splitting the stream at newline ("\n", ASCII 10) and NUL bytes.
79
80 If systemd-journald.service is stopped, the stream connections
81 associated with all services are terminated. Further writes to those
82 streams by the service will result in EPIPE errors. In order to react
83 gracefully in this case it is recommended that programs logging to
84 standard output/error ignore such errors. If the SIGPIPE UNIX signal
85 handler is not blocked or turned off, such write attempts will also
86 result in such process signals being generated, see signal(7). To
87 mitigate this issue, systemd service manager explicitly turns off the
88 SIGPIPE signal for all invoked processes by default (this may be
89 changed for each unit individually via the IgnoreSIGPIPE= option, see
90 systemd.exec(5) for details). After the standard output/standard error
91 streams have been terminated they may not be recovered until the
92 services they are associated with are restarted. Note that during
93 normal operation, systemd-journald.service stores copies of the file
94 descriptors for those streams in the service manager. If
95 systemd-journald.service is restarted using systemctl restart or
96 equivalent operation instead of a pair of separate systemctl stop and
97 systemctl start commands (or equivalent operations), these stream
98 connections are not terminated and survive the restart. It is thus safe
99 to restart systemd-journald.service, but stopping it is not
100 recommended.
101
102 Note that the log record metadata for records transferred via such
103 standard output/error streams reflect the metadata of the peer the
104 stream was originally created for. If the stream connection is passed
105 on to other processes (such as further child processes forked off the
106 main service process), the log records will not reflect their metadata,
107 but will continue to describe the original process. This is different
108 from the other logging transports listed above, which are inherently
109 record based and where the metadata is always associated with the
110 individual record.
111
112 In addition to the implicit standard output/error logging of services,
113 stream logging is also available via the systemd-cat(1) command line
114 tool.
115
116 Currently, the number of parallel log streams systemd-journald will
117 accept is limited to 4096. When this limit is reached further log
118 streams may be established but will receive EPIPE right from the
119 beginning.
120
122 Journal 'namespaces' are both a mechanism for logically isolating the
123 log stream of projects consisting of one or more services from the rest
124 of the system and a mechanism for improving performance. Multiple
125 journal namespaces may exist simultaneously, each defining its own,
126 independent log stream managed by its own instance of systemd-journald.
127 Namespaces are independent of each other, both in the data store and in
128 the IPC interface. By default only a single 'default' namespace exists,
129 managed by systemd-journald.service (and its associated socket units).
130 Additional namespaces are created by starting an instance of the
131 systemd-journald@.service service template. The instance name is the
132 namespace identifier, which is a short string used for referencing the
133 journal namespace. Service units may be assigned to a specific journal
134 namespace through the LogNamespace= unit file setting, see
135 systemd.exec(5) for details. The --namespace= switch of journalctl(1)
136 may be used to view the log stream of a specific namespace. If the
137 switch is not used the log stream of the default namespace is shown,
138 i.e. log data from other namespaces is not visible.
139
140 Services associated with a specific log namespace may log via syslog,
141 the native logging protocol of the journal and via stdout/stderr; the
142 logging from all three transports is associated with the namespace.
143
144 By default only the default namespace will collect kernel and audit log
145 messages.
146
147 The systemd-journald instance of the default namespace is configured
148 through /etc/systemd/journald.conf (see below), while the other
149 instances are configured through /etc/systemd/journald@NAMESPACE.conf.
150 The journal log data for the default namespace is placed in
151 /var/log/journal/MACHINE_ID (see below) while the data for the other
152 namespaces is located in /var/log/journal/MACHINE_ID.NAMESPACE.
153
155 SIGUSR1
156 Request that journal data from /run/ is flushed to /var/ in order
157 to make it persistent (if this is enabled). This must be used after
158 /var/ is mounted, as otherwise log data from /run is never flushed
159 to /var regardless of the configuration. Use the journalctl --flush
160 command to request flushing of the journal files, and wait for the
161 operation to complete. See journalctl(1) for details.
162
163 SIGUSR2
164 Request immediate rotation of the journal files. Use the journalctl
165 --rotate command to request journal file rotation, and wait for the
166 operation to complete.
167
168 SIGRTMIN+1
169 Request that all unwritten log data is written to disk. Use the
170 journalctl --sync command to trigger journal synchronization, and
171 wait for the operation to complete.
172
174 A few configuration parameters from journald.conf may be overridden on
175 the kernel command line:
176
177 systemd.journald.forward_to_syslog=, systemd.journald.forward_to_kmsg=,
178 systemd.journald.forward_to_console=, systemd.journald.forward_to_wall=
179 Enables/disables forwarding of collected log messages to syslog,
180 the kernel log buffer, the system console or wall.
181
182 See journald.conf(5) for information about these settings.
183
184 Note that these kernel command line options are only honoured by the
185 default namespace, see above.
186
188 Journal files are, by default, owned and readable by the
189 "systemd-journal" system group but are not writable. Adding a user to
190 this group thus enables them to read the journal files.
191
192 By default, each user, with a UID outside the range of system users,
193 dynamic service users, and the nobody user, will get their own set of
194 journal files in /var/log/journal/. See Users, Groups, UIDs and GIDs on
195 systemd systems[1] for more details about UID ranges. These journal
196 files will not be owned by the user, however, in order to avoid that
197 the user can write to them directly. Instead, file system ACLs are used
198 to ensure the user gets read access only.
199
200 Additional users and groups may be granted access to journal files via
201 file system access control lists (ACL). Distributions and
202 administrators may choose to grant read access to all members of the
203 "wheel" and "adm" system groups with a command such as the following:
204
205 # setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
206
207 Note that this command will update the ACLs both for existing journal
208 files and for future journal files created in the /var/log/journal/
209 directory.
210
212 /etc/systemd/journald.conf
213 Configure systemd-journald behavior. See journald.conf(5).
214
215 /run/log/journal/machine-id/*.journal,
216 /run/log/journal/machine-id/*.journal~,
217 /var/log/journal/machine-id/*.journal,
218 /var/log/journal/machine-id/*.journal~
219 systemd-journald writes entries to files in
220 /run/log/journal/machine-id/ or /var/log/journal/machine-id/ with
221 the ".journal" suffix. If the daemon is stopped uncleanly, or if
222 the files are found to be corrupted, they are renamed using the
223 ".journal~" suffix, and systemd-journald starts writing to a new
224 file. /run is used when /var/log/journal is not available, or when
225 Storage=volatile is set in the journald.conf(5) configuration file.
226
227 When systemd-journald ceases writing to a journal file, it will be
228 renamed to "original-name@suffix.journal" (or
229 "original-name@suffix.journal~"). Such files are "archived" and
230 will not be written to any more.
231
232 In general, it is safe to read or copy any journal file (active or
233 archived). journalctl(1) and the functions in the sd-journal(3)
234 library should be able to read all entries that have been fully
235 written.
236
237 systemd-journald will automatically remove the oldest archived
238 journal files to limit disk use. See SystemMaxUse= and related
239 settings in journald.conf(5).
240
241 /dev/kmsg, /dev/log, /run/systemd/journal/dev-log,
242 /run/systemd/journal/socket, /run/systemd/journal/stdout
243 Sockets and other file node paths that systemd-journald will listen
244 on and are visible in the file system. In addition to these,
245 systemd-journald can listen for audit events using netlink(7).
246
247 If journal namespacing is used these paths are slightly altered to
248 include a namespace identifier, see above.
249
251 systemd(1), journalctl(1), journald.conf(5), systemd.journal-fields(7),
252 sd-journal(3), systemd-coredump(8), setfacl(1), sd_journal_print(3),
253 pydoc systemd.journal
254
256 1. Users, Groups, UIDs and GIDs on systemd systems
257 https://systemd.io/UIDS-GIDS
258
259
260
261systemd 245 SYSTEMD-JOURNALD.SERVICE(8)