1JOURNALD.CONF(5) journald.conf JOURNALD.CONF(5)
2
6 journald.conf, journald.conf.d, journald@.conf - Journal service
7 configuration files
8
10 /etc/systemd/journald.conf
11 /etc/systemd/journald.conf.d/*.conf
13 /run/systemd/journald.conf.d/*.conf
15 /usr/lib/systemd/journald.conf.d/*.conf
17 /etc/systemd/journald@NAMESPACE.conf
19 /etc/systemd/journald@NAMESPACE.conf.d/*.conf
21 /run/systemd/journald@NAMESPACE.conf.d/*.conf
23 /usr/lib/systemd/journald@NAMESPACE.conf.d/*.conf
25
27 These files configure various parameters of the systemd journal
28 service, systemd-journald.service(8). See systemd.syntax(7) for a
29 general description of the syntax.
30 The systemd-journald instance managing the default namespace is
32 configured by /etc/systemd/journald.conf and associated drop-ins.
33 Instances managing other namespaces read
34 /etc/systemd/journald@NAMESPACE.conf and associated drop-ins with the
35 namespace identifier filled in. This allows each namespace to carry a
36 distinct configuration. See systemd-journald.service(8) for details
37 about journal namespaces.
38
40 The default configuration is set during compilation, so configuration
41 is only needed when it is necessary to deviate from those defaults.
42 Initially, the main configuration file in /etc/systemd/ contains
43 commented out entries showing the defaults as a guide to the
44 administrator. Local overrides can be created by editing this file or
45 by creating drop-ins, as described below. Using drop-ins for local
46 configuration is recommended over modifications to the main
47 configuration file.
48 In addition to the "main" configuration file, drop-in configuration
50 snippets are read from /usr/lib/systemd/*.conf.d/,
51 /usr/local/lib/systemd/*.conf.d/, and /etc/systemd/*.conf.d/. Those
52 drop-ins have higher precedence and override the main configuration
53 file. Files in the *.conf.d/ configuration subdirectories are sorted by
54 their filename in lexicographic order, regardless of in which of the
55 subdirectories they reside. When multiple files specify the same
56 option, for options which accept just a single value, the entry in the
57 file sorted last takes precedence, and for options which accept a list
58 of values, entries are collected as they occur in the sorted files.
59 When packages need to customize the configuration, they can install
61 drop-ins under /usr/. Files in /etc/ are reserved for the local
62 administrator, who may use this logic to override the configuration
63 files installed by vendor packages. Drop-ins have to be used to
64 override package drop-ins, since the main configuration file has lower
65 precedence. It is recommended to prefix all filenames in those
66 subdirectories with a two-digit number and a dash, to simplify the
67 ordering of the files.
68 To disable a configuration file supplied by the vendor, the recommended
70 way is to place a symlink to /dev/null in the configuration directory
71 in /etc/, with the same filename as the vendor configuration file.
72
74 All options are configured in the [Journal] section:
75 Storage=
77 Controls where to store journal data. One of "volatile",
78 "persistent", "auto" and "none". If "volatile", journal log data
79 will be stored only in memory, i.e. below the /run/log/journal
80 hierarchy (which is created if needed). If "persistent", data will
81 be stored preferably on disk, i.e. below the /var/log/journal
82 hierarchy (which is created if needed), with a fallback to
83 /run/log/journal (which is created if needed), during early boot
84 and if the disk is not writable. "auto" behaves like "persistent"
85 if the /var/log/journal directory exists, and "volatile" otherwise
86 (the existence of the directory controls the storage mode). "none"
87 turns off all storage, all log data received will be dropped (but
88 forwarding to other targets, such as the console, the kernel log
89 buffer, or a syslog socket will still work). Defaults to "auto" in
90 the default journal namespace, and "persistent" in all others.
91 Note that journald will initially use volatile storage, until a
93 call to journalctl --flush (or sending SIGUSR1 to journald) will
94 cause it to switch to persistent logging (under the conditions
95 mentioned above). This is done automatically on boot via
96 "systemd-journal-flush.service".
97 Note that when this option is changed to "volatile", existing
99 persistent data is not removed. In the other direction,
100 journalctl(1) with the --flush option may be used to move volatile
101 data to persistent storage.
102 When journal namespacing (see LogNamespace= in systemd.exec(5)) is
104 used, setting Storage= to "volatile" or "auto" will not have an
105 effect on the creation of the per-namespace logs directory in
106 /var/log/journal/, as the systemd-journald@.service service file by
107 default carries LogsDirectory=. To turn that off, add a unit file
108 drop-in file that sets LogsDirectory= to an empty string.
109 Note that per-user journal files are not supported unless
111 persistent storage is enabled, thus making journalctl --user
112 unavailable.
113 Compress=
115 Can take a boolean value. If enabled (the default), data objects
116 that shall be stored in the journal and are larger than the default
117 threshold of 512 bytes are compressed before they are written to
118 the file system. It can also be set to a number of bytes to specify
119 the compression threshold directly. Suffixes like K, M, and G can
120 be used to specify larger units.
121 Seal=
123 Takes a boolean value. If enabled (the default), and a sealing key
124 is available (as created by journalctl(1)'s --setup-keys command),
125 Forward Secure Sealing (FSS) for all persistent journal files is
126 enabled. FSS is based on Seekable Sequential Key Generators[1] by
127 G. A. Marson and B. Poettering (doi:10.1007/978-3-642-40203-6_7)
128 and may be used to protect journal files from unnoticed alteration.
129 SplitMode=
131 Controls whether to split up journal files per user, either "uid"
132 or "none". Split journal files are primarily useful for access
133 control: on UNIX/Linux access control is managed per file, and the
134 journal daemon will assign users read access to their journal
135 files. If "uid", all regular users (with UID outside the range of
136 system users, dynamic service users, and the nobody user) will each
137 get their own journal files, and system users will log to the
138 system journal. See Users, Groups, UIDs and GIDs on systemd
139 systems[2] for more details about UID ranges. If "none", journal
140 files are not split up by user and all messages are instead stored
141 in the single system journal. In this mode unprivileged users
142 generally do not have access to their own log data. Note that
143 splitting up journal files by user is only available for journals
144 stored persistently. If journals are stored on volatile storage
145 (see Storage= above), only a single journal file is used. Defaults
146 to "uid".
147 RateLimitIntervalSec=, RateLimitBurst=
149 Configures the rate limiting that is applied to all messages
150 generated on the system. If, in the time interval defined by
151 RateLimitIntervalSec=, more messages than specified in
152 RateLimitBurst= are logged by a service, all further messages
153 within the interval are dropped until the interval is over. A
154 message about the number of dropped messages is generated. This
155 rate limiting is applied per-service, so that two services which
156 log do not interfere with each other's limits. Defaults to 10000
157 messages in 30s. The time specification for RateLimitIntervalSec=
158 may be specified in the following units: "s", "min", "h", "ms",
159 "us". To turn off any kind of rate limiting, set either value to 0.
160 Note that the effective rate limit is multiplied by a factor
162 derived from the available free disk space for the journal.
163 Currently, this factor is calculated using the base 2 logarithm.
164 Table 1. Example RateLimitBurst= rate modifications by the
166 available disk space
167 ┌─────────────────────┬──────────────────┐
168 │Available Disk Space │ Burst Multiplier │
169 ├─────────────────────┼──────────────────┤
170 │<= 1MB │ 1 │
171 ├─────────────────────┼──────────────────┤
172 │<= 16MB │ 2 │
173 ├─────────────────────┼──────────────────┤
174 │<= 256MB │ 3 │
175 ├─────────────────────┼──────────────────┤
176 │<= 4GB │ 4 │
177 ├─────────────────────┼──────────────────┤
178 │<= 64GB │ 5 │
179 ├─────────────────────┼──────────────────┤
180 │<= 1TB │ 6 │
181 └─────────────────────┴──────────────────┘
182 If a service provides rate limits for itself through
183 LogRateLimitIntervalSec= and/or LogRateLimitBurst= in
184 systemd.exec(5), those values will override the settings specified
185 here.
186 SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, SystemMaxFiles=,
188 RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize=, RuntimeMaxFiles=
189 Enforce size limits on the journal files stored. The options
190 prefixed with "System" apply to the journal files when stored on a
191 persistent file system, more specifically /var/log/journal. The
192 options prefixed with "Runtime" apply to the journal files when
193 stored on a volatile in-memory file system, more specifically
194 /run/log/journal. The former is used only when /var/ is mounted,
195 writable, and the directory /var/log/journal exists. Otherwise,
196 only the latter applies. Note that this means that during early
197 boot and if the administrator disabled persistent logging, only the
198 latter options apply, while the former apply if persistent logging
199 is enabled and the system is fully booted up. journalctl and
200 systemd-journald ignore all files with names not ending with
201 ".journal" or ".journal~", so only such files, located in the
202 appropriate directories, are taken into account when calculating
203 current disk usage.
204 SystemMaxUse= and RuntimeMaxUse= control how much disk space the
206 journal may use up at most. SystemKeepFree= and RuntimeKeepFree=
207 control how much disk space systemd-journald shall leave free for
208 other uses. systemd-journald will respect both limits and use the
209 smaller of the two values.
210 The first pair defaults to 10% and the second to 15% of the size of
212 the respective file system, but each value is capped to 4G. If the
213 file system is nearly full and either SystemKeepFree= or
214 RuntimeKeepFree= are violated when systemd-journald is started, the
215 limit will be raised to the percentage that is actually free. This
216 means that if there was enough free space before and journal files
217 were created, and subsequently something else causes the file
218 system to fill up, journald will stop using more space, but it will
219 not be removing existing files to reduce the footprint again,
220 either. Also note that only archived files are deleted to reduce
221 the space occupied by journal files. This means that, in effect,
222 there might still be more space used than SystemMaxUse= or
223 RuntimeMaxUse= limit after a vacuuming operation is complete.
224 SystemMaxFileSize= and RuntimeMaxFileSize= control how large
226 individual journal files may grow at most. This influences the
227 granularity in which disk space is made available through rotation,
228 i.e. deletion of historic data. Defaults to one eighth of the
229 values configured with SystemMaxUse= and RuntimeMaxUse= capped to
230 128M, so that usually seven rotated journal files are kept as
231 history. If the journal compact mode is enabled (enabled by
232 default), the maximum file size is capped to 4G.
233 Specify values in bytes or use K, M, G, T, P, E as units for the
235 specified sizes (equal to 1024, 1024², ... bytes). Note that size
236 limits are enforced synchronously when journal files are extended,
237 and no explicit rotation step triggered by time is needed.
238 SystemMaxFiles= and RuntimeMaxFiles= control how many individual
240 journal files to keep at most. Note that only archived files are
241 deleted to reduce the number of files until this limit is reached;
242 active files will stay around. This means that, in effect, there
243 might still be more journal files around in total than this limit
244 after a vacuuming operation is complete. This setting defaults to
245 100.
246 MaxFileSec=
248 The maximum time to store entries in a single journal file before
249 rotating to the next one. Normally, time-based rotation should not
250 be required as size-based rotation with options such as
251 SystemMaxFileSize= should be sufficient to ensure that journal
252 files do not grow without bounds. However, to ensure that not too
253 much data is lost at once when old journal files are deleted, it
254 might make sense to change this value from the default of one
255 month. Set to 0 to turn off this feature. This setting takes time
256 values which may be suffixed with the units "year", "month",
257 "week", "day", "h" or "m" to override the default time unit of
258 seconds.
259 MaxRetentionSec=
261 The maximum time to store journal entries. This controls whether
262 journal files containing entries older than the specified time span
263 are deleted. Normally, time-based deletion of old journal files
264 should not be required as size-based deletion with options such as
265 SystemMaxUse= should be sufficient to ensure that journal files do
266 not grow without bounds. However, to enforce data retention
267 policies, it might make sense to change this value from the default
268 of 0 (which turns off this feature). This setting also takes time
269 values which may be suffixed with the units "year", "month",
270 "week", "day", "h" or " m" to override the default time unit of
271 seconds.
272 SyncIntervalSec=
274 The timeout before synchronizing journal files to disk. After
275 syncing, journal files are placed in the OFFLINE state. Note that
276 syncing is unconditionally done immediately after a log message of
277 priority CRIT, ALERT or EMERG has been logged. This setting hence
278 applies only to messages of the levels ERR, WARNING, NOTICE, INFO,
279 DEBUG. The default timeout is 5 minutes.
280 ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=, ForwardToWall=
282 Control whether log messages received by the journal daemon shall
283 be forwarded to a traditional syslog daemon, to the kernel log
284 buffer (kmsg), to the system console, or sent as wall messages to
285 all logged-in users. These options take boolean arguments. If
286 forwarding to syslog is enabled but nothing reads messages from the
287 socket, forwarding to syslog has no effect. By default, only
288 forwarding to wall is enabled. These settings may be overridden at
289 boot time with the kernel command line options
290 "systemd.journald.forward_to_syslog",
291 "systemd.journald.forward_to_kmsg",
292 "systemd.journald.forward_to_console", and
293 "systemd.journald.forward_to_wall". If the option name is specified
294 without "=" and the following argument, true is assumed. Otherwise,
295 the argument is parsed as a boolean.
296 When forwarding to the console, the TTY to log to can be changed
298 with TTYPath=, described below.
299 When forwarding to the kernel log buffer (kmsg), make sure to
301 select a suitably large size for the log buffer, for example by
302 adding "log_buf_len=8M" to the kernel command line. systemd will
303 automatically disable kernel's rate-limiting applied to userspace
304 processes (equivalent to setting "printk.devkmsg=on").
305 Note: Forwarding is performed synchronously within journald, and
307 may significantly affect its performance. This is particularly
308 relevant when using ForwardToConsole=yes in cloud environments,
309 where the console is often a slow, virtual serial port. Since
310 journald is implemented as a conventional single-process daemon,
311 forwarding to a completely hung console will block journald. This
312 can have a cascading effect resulting in any services synchronously
313 logging to the blocked journal also becoming blocked. Unless
314 actively debugging/developing something, it's generally preferable
315 to setup a journalctl --follow style service redirected to the
316 console, instead of ForwardToConsole=yes, for production use.
317 MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=,
319 MaxLevelWall=
320 Controls the maximum log level of messages that are stored in the
321 journal, forwarded to syslog, kmsg, the console or wall (if that is
322 enabled, see above). As argument, takes one of "emerg", "alert",
323 "crit", "err", "warning", "notice", "info", "debug", or integer
324 values in the range of 0–7 (corresponding to the same levels).
325 Messages equal or below the log level specified are
326 stored/forwarded, messages above are dropped. Defaults to "debug"
327 for MaxLevelStore= and MaxLevelSyslog=, to ensure that the all
328 messages are stored in the journal and forwarded to syslog.
329 Defaults to "notice" for MaxLevelKMsg=, "info" for
330 MaxLevelConsole=, and "emerg" for MaxLevelWall=. These settings may
331 be overridden at boot time with the kernel command line options
332 "systemd.journald.max_level_store=",
333 "systemd.journald.max_level_syslog=",
334 "systemd.journald.max_level_kmsg=",
335 "systemd.journald.max_level_console=",
336 "systemd.journald.max_level_wall=".
337 ReadKMsg=
339 Takes a boolean value. If enabled systemd-journal processes
340 /dev/kmsg messages generated by the kernel. In the default journal
341 namespace this option is enabled by default, it is disabled in all
342 others.
343 Audit=
345 Takes a boolean value. If enabled systemd-journald will turn on
346 kernel auditing on start-up. If disabled it will turn it off. If
347 unset it will neither enable nor disable it, leaving the previous
348 state unchanged. This means if another tool turns on auditing even
349 if systemd-journald left it off, it will still collect the
350 generated messages. Defaults to on.
351 Note that this option does not control whether systemd-journald
353 collects generated audit records, it just controls whether it tells
354 the kernel to generate them. If you need to prevent
355 systemd-journald from collecting the generated messages, the socket
356 unit "systemd-journald-audit.socket" can be disabled and in this
357 case this setting is without effect.
358 TTYPath=
360 Change the console TTY to use if ForwardToConsole=yes is used.
361 Defaults to /dev/console.
362 LineMax=
364 The maximum line length to permit when converting stream logs into
365 record logs. When a systemd unit's standard output/error are
366 connected to the journal via a stream socket, the data read is
367 split into individual log records at newline ("\n", ASCII 10) and
368 NUL characters. If no such delimiter is read for the specified
369 number of bytes a hard log record boundary is artificially
370 inserted, breaking up overly long lines into multiple log records.
371 Selecting overly large values increases the possible memory usage
372 of the Journal daemon for each stream client, as in the worst case
373 the journal daemon needs to buffer the specified number of bytes in
374 memory before it can flush a new log record to disk. Also note that
375 permitting overly large line maximum line lengths affects
376 compatibility with traditional log protocols as log records might
377 not fit anymore into a single AF_UNIX or AF_INET datagram. Takes a
378 size in bytes. If the value is suffixed with K, M, G or T, the
379 specified size is parsed as Kilobytes, Megabytes, Gigabytes, or
380 Terabytes (with the base 1024), respectively. Defaults to 48K,
381 which is relatively large but still small enough so that log
382 records likely fit into network datagrams along with extra room for
383 metadata. Note that values below 79 are not accepted and will be
384 bumped to 79.
385
387 Journal events can be transferred to a different logging daemon in two
388 different ways. With the first method, messages are immediately
389 forwarded to a socket (/run/systemd/journal/syslog), where the
390 traditional syslog daemon can read them. This method is controlled by
391 the ForwardToSyslog= option. With a second method, a syslog daemon
392 behaves like a normal journal client, and reads messages from the
393 journal files, similarly to journalctl(1). With this, messages do not
394 have to be read immediately, which allows a logging daemon which is
395 only started late in boot to access all messages since the start of the
396 system. In addition, full structured meta-data is available to it. This
397 method of course is available only if the messages are stored in a
398 journal file at all. So it will not work if Storage=none is set. It
399 should be noted that usually the second method is used by syslog
400 daemons, so the Storage= option, and not the ForwardToSyslog= option,
401 is relevant for them.
402
404 systemd(1), systemd-journald.service(8), journalctl(1),
405 systemd.journal-fields(7), systemd-system.conf(5)
406
408 1. Seekable Sequential Key Generators
409 https://eprint.iacr.org/2013/397
410 2. Users, Groups, UIDs and GIDs on systemd systems
412 https://systemd.io/UIDS-GIDS
413systemd 254 JOURNALD.CONF(5)