1JOURNALD.CONF(5)                 journald.conf                JOURNALD.CONF(5)
2
3
4

NAME

6       journald.conf, journald.conf.d, journald@.conf - Journal service
7       configuration files
8

SYNOPSIS

10       /etc/systemd/journald.conf
11
12       /etc/systemd/journald.conf.d/*.conf
13
14       /run/systemd/journald.conf.d/*.conf
15
16       /usr/lib/systemd/journald.conf.d/*.conf
17
18       /etc/systemd/journald@NAMESPACE.conf
19
20       /etc/systemd/journald@NAMESPACE.conf.d/*.conf
21
22       /run/systemd/journald@NAMESPACE.conf.d/*.conf
23
24       /usr/lib/systemd/journald@NAMESPACE.conf.d/*.conf
25

DESCRIPTION

27       These files configure various parameters of the systemd journal
28       service, systemd-journald.service(8). See systemd.syntax(7) for a
29       general description of the syntax.
30
31       The systemd-journald instance managing the default namespace is
32       configured by /etc/systemd/journald.conf and associated drop-ins.
33       Instances managing other namespaces read
34       /etc/systemd/journald@NAMESPACE.conf and associated drop-ins with the
35       namespace identifier filled in. This allows each namespace to carry a
36       distinct configuration. See systemd-journald.service(8) for details
37       about journal namespaces.
38

CONFIGURATION DIRECTORIES AND PRECEDENCE

40       The default configuration is set during compilation, so configuration
41       is only needed when it is necessary to deviate from those defaults.
42       Initially, the main configuration file in /etc/systemd/ contains
43       commented out entries showing the defaults as a guide to the
44       administrator. Local overrides can be created by editing this file or
45       by creating drop-ins, as described below. Using drop-ins for local
46       configuration is recommended over modifications to the main
47       configuration file.
48
49       In addition to the "main" configuration file, drop-in configuration
50       snippets are read from /usr/lib/systemd/*.conf.d/,
51       /usr/local/lib/systemd/*.conf.d/, and /etc/systemd/*.conf.d/. Those
52       drop-ins have higher precedence and override the main configuration
53       file. Files in the *.conf.d/ configuration subdirectories are sorted by
54       their filename in lexicographic order, regardless of in which of the
55       subdirectories they reside. When multiple files specify the same
56       option, for options which accept just a single value, the entry in the
57       file sorted last takes precedence, and for options which accept a list
58       of values, entries are collected as they occur in the sorted files.
59
60       When packages need to customize the configuration, they can install
61       drop-ins under /usr/. Files in /etc/ are reserved for the local
62       administrator, who may use this logic to override the configuration
63       files installed by vendor packages. Drop-ins have to be used to
64       override package drop-ins, since the main configuration file has lower
65       precedence. It is recommended to prefix all filenames in those
66       subdirectories with a two-digit number and a dash, to simplify the
67       ordering of the files.
68
69       To disable a configuration file supplied by the vendor, the recommended
70       way is to place a symlink to /dev/null in the configuration directory
71       in /etc/, with the same filename as the vendor configuration file.
72

OPTIONS

74       All options are configured in the [Journal] section:
75
76       Storage=
77           Controls where to store journal data. One of "volatile",
78           "persistent", "auto" and "none". If "volatile", journal log data
79           will be stored only in memory, i.e. below the /run/log/journal
80           hierarchy (which is created if needed). If "persistent", data will
81           be stored preferably on disk, i.e. below the /var/log/journal
82           hierarchy (which is created if needed), with a fallback to
83           /run/log/journal (which is created if needed), during early boot
84           and if the disk is not writable.  "auto" behaves like "persistent"
85           if the /var/log/journal directory exists, and "volatile" otherwise
86           (the existence of the directory controls the storage mode).  "none"
87           turns off all storage, all log data received will be dropped (but
88           forwarding to other targets, such as the console, the kernel log
89           buffer, or a syslog socket will still work). Defaults to "auto" in
90           the default journal namespace, and "persistent" in all others.
91
92           Note that journald will initially use volatile storage, until a
93           call to journalctl --flush (or sending SIGUSR1 to journald) will
94           cause it to switch to persistent logging (under the conditions
95           mentioned above). This is done automatically on boot via
96           "systemd-journal-flush.service".
97
98           Note that when this option is changed to "volatile", existing
99           persistent data is not removed. In the other direction,
100           journalctl(1) with the --flush option may be used to move volatile
101           data to persistent storage.
102
103       Compress=
104           Can take a boolean value. If enabled (the default), data objects
105           that shall be stored in the journal and are larger than the default
106           threshold of 512 bytes are compressed before they are written to
107           the file system. It can also be set to a number of bytes to specify
108           the compression threshold directly. Suffixes like K, M, and G can
109           be used to specify larger units.
110
111       Seal=
112           Takes a boolean value. If enabled (the default), and a sealing key
113           is available (as created by journalctl(1)'s --setup-keys command),
114           Forward Secure Sealing (FSS) for all persistent journal files is
115           enabled. FSS is based on Seekable Sequential Key Generators[1] by
116           G. A. Marson and B. Poettering (doi:10.1007/978-3-642-40203-6_7)
117           and may be used to protect journal files from unnoticed alteration.
118
119       SplitMode=
120           Controls whether to split up journal files per user, either "uid"
121           or "none". Split journal files are primarily useful for access
122           control: on UNIX/Linux access control is managed per file, and the
123           journal daemon will assign users read access to their journal
124           files. If "uid", all regular users (with UID outside the range of
125           system users, dynamic service users, and the nobody user) will each
126           get their own journal files, and system users will log to the
127           system journal. See Users, Groups, UIDs and GIDs on systemd
128           systems[2] for more details about UID ranges. If "none", journal
129           files are not split up by user and all messages are instead stored
130           in the single system journal. In this mode unprivileged users
131           generally do not have access to their own log data. Note that
132           splitting up journal files by user is only available for journals
133           stored persistently. If journals are stored on volatile storage
134           (see Storage= above), only a single journal file is used. Defaults
135           to "uid".
136
137       RateLimitIntervalSec=, RateLimitBurst=
138           Configures the rate limiting that is applied to all messages
139           generated on the system. If, in the time interval defined by
140           RateLimitIntervalSec=, more messages than specified in
141           RateLimitBurst= are logged by a service, all further messages
142           within the interval are dropped until the interval is over. A
143           message about the number of dropped messages is generated. This
144           rate limiting is applied per-service, so that two services which
145           log do not interfere with each other's limits. Defaults to 10000
146           messages in 30s. The time specification for RateLimitIntervalSec=
147           may be specified in the following units: "s", "min", "h", "ms",
148           "us". To turn off any kind of rate limiting, set either value to 0.
149
150           Note that the effective rate limit is multiplied by a factor
151           derived from the available free disk space for the journal.
152           Currently, this factor is calculated using the base 2 logarithm.
153
154           Table 1. Example RateLimitBurst= rate modifications by the
155           available disk space
156           ┌─────────────────────┬──────────────────┐
157Available Disk Space Burst Multiplier 
158           ├─────────────────────┼──────────────────┤
159           │<= 1MB               │ 1                │
160           ├─────────────────────┼──────────────────┤
161           │<= 16MB              │ 2                │
162           ├─────────────────────┼──────────────────┤
163           │<= 256MB             │ 3                │
164           ├─────────────────────┼──────────────────┤
165           │<= 4GB               │ 4                │
166           ├─────────────────────┼──────────────────┤
167           │<= 64GB              │ 5                │
168           ├─────────────────────┼──────────────────┤
169           │<= 1TB               │ 6                │
170           └─────────────────────┴──────────────────┘
171           If a service provides rate limits for itself through
172           LogRateLimitIntervalSec= and/or LogRateLimitBurst= in
173           systemd.exec(5), those values will override the settings specified
174           here.
175
176       SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, SystemMaxFiles=,
177       RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize=, RuntimeMaxFiles=
178           Enforce size limits on the journal files stored. The options
179           prefixed with "System" apply to the journal files when stored on a
180           persistent file system, more specifically /var/log/journal. The
181           options prefixed with "Runtime" apply to the journal files when
182           stored on a volatile in-memory file system, more specifically
183           /run/log/journal. The former is used only when /var/ is mounted,
184           writable, and the directory /var/log/journal exists. Otherwise,
185           only the latter applies. Note that this means that during early
186           boot and if the administrator disabled persistent logging, only the
187           latter options apply, while the former apply if persistent logging
188           is enabled and the system is fully booted up.  journalctl and
189           systemd-journald ignore all files with names not ending with
190           ".journal" or ".journal~", so only such files, located in the
191           appropriate directories, are taken into account when calculating
192           current disk usage.
193
194           SystemMaxUse= and RuntimeMaxUse= control how much disk space the
195           journal may use up at most.  SystemKeepFree= and RuntimeKeepFree=
196           control how much disk space systemd-journald shall leave free for
197           other uses.  systemd-journald will respect both limits and use the
198           smaller of the two values.
199
200           The first pair defaults to 10% and the second to 15% of the size of
201           the respective file system, but each value is capped to 4G. If the
202           file system is nearly full and either SystemKeepFree= or
203           RuntimeKeepFree= are violated when systemd-journald is started, the
204           limit will be raised to the percentage that is actually free. This
205           means that if there was enough free space before and journal files
206           were created, and subsequently something else causes the file
207           system to fill up, journald will stop using more space, but it will
208           not be removing existing files to reduce the footprint again,
209           either. Also note that only archived files are deleted to reduce
210           the space occupied by journal files. This means that, in effect,
211           there might still be more space used than SystemMaxUse= or
212           RuntimeMaxUse= limit after a vacuuming operation is complete.
213
214           SystemMaxFileSize= and RuntimeMaxFileSize= control how large
215           individual journal files may grow at most. This influences the
216           granularity in which disk space is made available through rotation,
217           i.e. deletion of historic data. Defaults to one eighth of the
218           values configured with SystemMaxUse= and RuntimeMaxUse=, so that
219           usually seven rotated journal files are kept as history.
220
221           Specify values in bytes or use K, M, G, T, P, E as units for the
222           specified sizes (equal to 1024, 1024², ... bytes). Note that size
223           limits are enforced synchronously when journal files are extended,
224           and no explicit rotation step triggered by time is needed.
225
226           SystemMaxFiles= and RuntimeMaxFiles= control how many individual
227           journal files to keep at most. Note that only archived files are
228           deleted to reduce the number of files until this limit is reached;
229           active files will stay around. This means that, in effect, there
230           might still be more journal files around in total than this limit
231           after a vacuuming operation is complete. This setting defaults to
232           100.
233
234       MaxFileSec=
235           The maximum time to store entries in a single journal file before
236           rotating to the next one. Normally, time-based rotation should not
237           be required as size-based rotation with options such as
238           SystemMaxFileSize= should be sufficient to ensure that journal
239           files do not grow without bounds. However, to ensure that not too
240           much data is lost at once when old journal files are deleted, it
241           might make sense to change this value from the default of one
242           month. Set to 0 to turn off this feature. This setting takes time
243           values which may be suffixed with the units "year", "month",
244           "week", "day", "h" or "m" to override the default time unit of
245           seconds.
246
247       MaxRetentionSec=
248           The maximum time to store journal entries. This controls whether
249           journal files containing entries older than the specified time span
250           are deleted. Normally, time-based deletion of old journal files
251           should not be required as size-based deletion with options such as
252           SystemMaxUse= should be sufficient to ensure that journal files do
253           not grow without bounds. However, to enforce data retention
254           policies, it might make sense to change this value from the default
255           of 0 (which turns off this feature). This setting also takes time
256           values which may be suffixed with the units "year", "month",
257           "week", "day", "h" or " m" to override the default time unit of
258           seconds.
259
260       SyncIntervalSec=
261           The timeout before synchronizing journal files to disk. After
262           syncing, journal files are placed in the OFFLINE state. Note that
263           syncing is unconditionally done immediately after a log message of
264           priority CRIT, ALERT or EMERG has been logged. This setting hence
265           applies only to messages of the levels ERR, WARNING, NOTICE, INFO,
266           DEBUG. The default timeout is 5 minutes.
267
268       ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=, ForwardToWall=
269           Control whether log messages received by the journal daemon shall
270           be forwarded to a traditional syslog daemon, to the kernel log
271           buffer (kmsg), to the system console, or sent as wall messages to
272           all logged-in users. These options take boolean arguments. If
273           forwarding to syslog is enabled but nothing reads messages from the
274           socket, forwarding to syslog has no effect. By default, only
275           forwarding to wall is enabled. These settings may be overridden at
276           boot time with the kernel command line options
277           "systemd.journald.forward_to_syslog",
278           "systemd.journald.forward_to_kmsg",
279           "systemd.journald.forward_to_console", and
280           "systemd.journald.forward_to_wall". If the option name is specified
281           without "=" and the following argument, true is assumed. Otherwise,
282           the argument is parsed as a boolean.
283
284           When forwarding to the console, the TTY to log to can be changed
285           with TTYPath=, described below.
286
287           When forwarding to the kernel log buffer (kmsg), make sure to
288           select a suitably large size for the log buffer, for example by
289           adding "log_buf_len=8M" to the kernel command line.  systemd will
290           automatically disable kernel's rate-limiting applied to userspace
291           processes (equivalent to setting "printk.devkmsg=on").
292
293       MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=,
294       MaxLevelWall=
295           Controls the maximum log level of messages that are stored in the
296           journal, forwarded to syslog, kmsg, the console or wall (if that is
297           enabled, see above). As argument, takes one of "emerg", "alert",
298           "crit", "err", "warning", "notice", "info", "debug", or integer
299           values in the range of 0–7 (corresponding to the same levels).
300           Messages equal or below the log level specified are
301           stored/forwarded, messages above are dropped. Defaults to "debug"
302           for MaxLevelStore= and MaxLevelSyslog=, to ensure that the all
303           messages are stored in the journal and forwarded to syslog.
304           Defaults to "notice" for MaxLevelKMsg=, "info" for
305           MaxLevelConsole=, and "emerg" for MaxLevelWall=. These settings may
306           be overridden at boot time with the kernel command line options
307           "systemd.journald.max_level_store=",
308           "systemd.journald.max_level_syslog=",
309           "systemd.journald.max_level_kmsg=",
310           "systemd.journald.max_level_console=",
311           "systemd.journald.max_level_wall=".
312
313       ReadKMsg=
314           Takes a boolean value. If enabled systemd-journal processes
315           /dev/kmsg messages generated by the kernel. In the default journal
316           namespace this option is enabled by default, it is disabled in all
317           others.
318
319       Audit=
320           Takes a boolean value. If enabled systemd-journal will turn on
321           kernel auditing on start-up. If disabled it will turn it off. If
322           unset it will neither enable nor disable it, leaving the previous
323           state unchanged. Note that this option does not control whether
324           systemd-journald collects generated audit records, it just controls
325           whether it tells the kernel to generate them. This means if another
326           tool turns on auditing even if systemd-journald left it off, it
327           will still collect the generated messages. Defaults to on.
328
329       TTYPath=
330           Change the console TTY to use if ForwardToConsole=yes is used.
331           Defaults to /dev/console.
332
333       LineMax=
334           The maximum line length to permit when converting stream logs into
335           record logs. When a systemd unit's standard output/error are
336           connected to the journal via a stream socket, the data read is
337           split into individual log records at newline ("\n", ASCII 10) and
338           NUL characters. If no such delimiter is read for the specified
339           number of bytes a hard log record boundary is artificially
340           inserted, breaking up overly long lines into multiple log records.
341           Selecting overly large values increases the possible memory usage
342           of the Journal daemon for each stream client, as in the worst case
343           the journal daemon needs to buffer the specified number of bytes in
344           memory before it can flush a new log record to disk. Also note that
345           permitting overly large line maximum line lengths affects
346           compatibility with traditional log protocols as log records might
347           not fit anymore into a single AF_UNIX or AF_INET datagram. Takes a
348           size in bytes. If the value is suffixed with K, M, G or T, the
349           specified size is parsed as Kilobytes, Megabytes, Gigabytes, or
350           Terabytes (with the base 1024), respectively. Defaults to 48K,
351           which is relatively large but still small enough so that log
352           records likely fit into network datagrams along with extra room for
353           metadata. Note that values below 79 are not accepted and will be
354           bumped to 79.
355

FORWARDING TO TRADITIONAL SYSLOG DAEMONS

357       Journal events can be transferred to a different logging daemon in two
358       different ways. With the first method, messages are immediately
359       forwarded to a socket (/run/systemd/journal/syslog), where the
360       traditional syslog daemon can read them. This method is controlled by
361       the ForwardToSyslog= option. With a second method, a syslog daemon
362       behaves like a normal journal client, and reads messages from the
363       journal files, similarly to journalctl(1). With this, messages do not
364       have to be read immediately, which allows a logging daemon which is
365       only started late in boot to access all messages since the start of the
366       system. In addition, full structured meta-data is available to it. This
367       method of course is available only if the messages are stored in a
368       journal file at all. So it will not work if Storage=none is set. It
369       should be noted that usually the second method is used by syslog
370       daemons, so the Storage= option, and not the ForwardToSyslog= option,
371       is relevant for them.
372

SEE ALSO

374       systemd(1), systemd-journald.service(8), journalctl(1),
375       systemd.journal-fields(7), systemd-system.conf(5)
376

NOTES

378        1. Seekable Sequential Key Generators
379           https://eprint.iacr.org/2013/397
380
381        2. Users, Groups, UIDs and GIDs on systemd systems
382           https://systemd.io/UIDS-GIDS
383
384
385
386systemd 249                                                   JOURNALD.CONF(5)
Impressum