1<?xml version='1.0'?> <!--*-nxml-*--> 2<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" 3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> 4<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> 5 6<refentry id="journald.conf" 7 xmlns:xi="http://www.w3.org/2001/XInclude"> 8 <refentryinfo> 9 <title>journald.conf</title> 10 <productname>systemd</productname> 11 </refentryinfo> 12 13 <refmeta> 14 <refentrytitle>journald.conf</refentrytitle> 15 <manvolnum>5</manvolnum> 16 </refmeta> 17 18 <refnamediv> 19 <refname>journald.conf</refname> 20 <refname>journald.conf.d</refname> 21 <refname>journald@.conf</refname> 22 <refpurpose>Journal service configuration files</refpurpose> 23 </refnamediv> 24 25 <refsynopsisdiv> 26 <para><filename>/etc/systemd/journald.conf</filename></para> 27 <para><filename>/etc/systemd/journald.conf.d/*.conf</filename></para> 28 <para><filename>/run/systemd/journald.conf.d/*.conf</filename></para> 29 <para><filename>/usr/lib/systemd/journald.conf.d/*.conf</filename></para> 30 <para><filename>/etc/systemd/journald@<replaceable>NAMESPACE</replaceable>.conf</filename></para> 31 <para><filename>/etc/systemd/journald@<replaceable>NAMESPACE</replaceable>.conf.d/*.conf</filename></para> 32 <para><filename>/run/systemd/journald@<replaceable>NAMESPACE</replaceable>.conf.d/*.conf</filename></para> 33 <para><filename>/usr/lib/systemd/journald@<replaceable>NAMESPACE</replaceable>.conf.d/*.conf</filename></para> 34 </refsynopsisdiv> 35 36 <refsect1> 37 <title>Description</title> 38 39 <para>These files configure various parameters of the systemd journal service, 40 <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 41 See 42 <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> 43 for a general description of the syntax.</para> 44 45 <para>The <command>systemd-journald</command> instance managing the default namespace is configured by 46 <filename>/etc/systemd/journald.conf</filename> and associated drop-ins. Instances managing other 47 namespaces read <filename>/etc/systemd/journald@<replaceable>NAMESPACE</replaceable>.conf</filename> 48 and associated drop-ins with the namespace identifier filled in. This allows each namespace to carry 49 a distinct configuration. See 50 <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> 51 for details about journal namespaces.</para> 52 </refsect1> 53 54 <xi:include href="standard-conf.xml" xpointer="main-conf" /> 55 56 <refsect1> 57 <title>Options</title> 58 59 <para>All options are configured in the 60 [Journal] section:</para> 61 62 <variablelist class='config-directives'> 63 64 <varlistentry> 65 <term><varname>Storage=</varname></term> 66 67 <listitem><para>Controls where to store journal data. One of <literal>volatile</literal>, 68 <literal>persistent</literal>, <literal>auto</literal> and <literal>none</literal>. If 69 <literal>volatile</literal>, journal log data will be stored only in memory, i.e. below the 70 <filename>/run/log/journal</filename> hierarchy (which is created if needed). If 71 <literal>persistent</literal>, data will be stored preferably on disk, i.e. below the 72 <filename>/var/log/journal</filename> hierarchy (which is created if needed), with a fallback to 73 <filename>/run/log/journal</filename> (which is created if needed), during early boot and if the disk 74 is not writable. <literal>auto</literal> behaves like <literal>persistent</literal> if the 75 <filename>/var/log/journal</filename> directory exists, and <literal>volatile</literal> otherwise 76 (the existence of the directory controls the storage mode). <literal>none</literal> turns off all 77 storage, all log data received will be dropped (but forwarding to other targets, such as the console, 78 the kernel log buffer, or a syslog socket will still work). Defaults to <literal>auto</literal> in 79 the default journal namespace, and <literal>persistent</literal> in all others.</para> 80 81 <para>Note that journald will initially use volatile storage, until a call to 82 <command>journalctl --flush</command> (or sending <constant>SIGUSR1</constant> to journald) will cause 83 it to switch to persistent logging (under the conditions mentioned above). This is done automatically 84 on boot via <literal>systemd-journal-flush.service</literal>.</para> 85 86 <para>Note that when this option is changed to <literal>volatile</literal>, existing persistent data 87 is not removed. In the other direction, 88 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> with 89 the <option>--flush</option> option may be used to move volatile data to persistent storage.</para> 90 </listitem> 91 </varlistentry> 92 93 <varlistentry> 94 <term><varname>Compress=</varname></term> 95 96 <listitem><para>Can take a boolean value. If enabled (the 97 default), data objects that shall be stored in the journal 98 and are larger than the default threshold of 512 bytes are 99 compressed before they are written to the file system. It 100 can also be set to a number of bytes to specify the 101 compression threshold directly. Suffixes like K, M, and G 102 can be used to specify larger units.</para></listitem> 103 </varlistentry> 104 105 <varlistentry> 106 <term><varname>Seal=</varname></term> 107 108 <listitem><para>Takes a boolean value. If enabled (the 109 default), and a sealing key is available (as created by 110 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s 111 <option>--setup-keys</option> command), Forward Secure Sealing 112 (FSS) for all persistent journal files is enabled. FSS is 113 based on <ulink 114 url="https://eprint.iacr.org/2013/397">Seekable Sequential Key 115 Generators</ulink> by G. A. Marson and B. Poettering 116 (doi:10.1007/978-3-642-40203-6_7) and may be used to protect 117 journal files from unnoticed alteration.</para></listitem> 118 </varlistentry> 119 120 <varlistentry> 121 <term><varname>SplitMode=</varname></term> 122 123 <listitem><para>Controls whether to split up journal files per user, either <literal>uid</literal> or 124 <literal>none</literal>. Split journal files are primarily useful for access control: on UNIX/Linux access 125 control is managed per file, and the journal daemon will assign users read access to their journal files. If 126 <literal>uid</literal>, all regular users (with UID outside the range of system users, dynamic service users, 127 and the nobody user) will each get their own journal files, and system users will log to the system journal. 128 See <ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink> 129 for more details about UID ranges. 130 If <literal>none</literal>, journal files are not split up by user and all messages are 131 instead stored in the single system journal. In this mode unprivileged users generally do not have access to 132 their own log data. Note that splitting up journal files by user is only available for journals stored 133 persistently. If journals are stored on volatile storage (see <varname>Storage=</varname> above), only a single 134 journal file is used. Defaults to <literal>uid</literal>.</para></listitem> 135 </varlistentry> 136 137 <varlistentry> 138 <term><varname>RateLimitIntervalSec=</varname></term> 139 <term><varname>RateLimitBurst=</varname></term> 140 141 <listitem><para>Configures the rate limiting that is applied 142 to all messages generated on the system. If, in the time 143 interval defined by <varname>RateLimitIntervalSec=</varname>, 144 more messages than specified in 145 <varname>RateLimitBurst=</varname> are logged by a service, 146 all further messages within the interval are dropped until the 147 interval is over. A message about the number of dropped 148 messages is generated. This rate limiting is applied 149 per-service, so that two services which log do not interfere 150 with each other's limits. Defaults to 10000 messages in 30s. 151 The time specification for 152 <varname>RateLimitIntervalSec=</varname> may be specified in the 153 following units: <literal>s</literal>, <literal>min</literal>, 154 <literal>h</literal>, <literal>ms</literal>, 155 <literal>us</literal>. To turn off any kind of rate limiting, 156 set either value to 0.</para> 157 158 <para>Note that the effective rate limit is multiplied by a 159 factor derived from the available free disk space for the journal. 160 Currently, this factor is calculated using the base 2 logarithm.</para> 161 162 <table> 163 <title>Example <varname>RateLimitBurst=</varname> rate 164 modifications by the available disk space</title> 165 <tgroup cols='2'> 166 <colspec colname='freespace' /> 167 <colspec colname='multiplier' /> 168 <thead> 169 <row> 170 <entry>Available Disk Space</entry> 171 <entry>Burst Multiplier</entry> 172 </row> 173 </thead> 174 <tbody> 175 <row> 176 <entry><= 1MB</entry> 177 <entry>1</entry> 178 </row> 179 <row> 180 <entry><= 16MB</entry> 181 <entry>2</entry> 182 </row> 183 <row> 184 <entry><= 256MB</entry> 185 <entry>3</entry> 186 </row> 187 <row> 188 <entry><= 4GB</entry> 189 <entry>4</entry> 190 </row> 191 <row> 192 <entry><= 64GB</entry> 193 <entry>5</entry> 194 </row> 195 <row> 196 <entry><= 1TB</entry> 197 <entry>6</entry> 198 </row> 199 </tbody> 200 </tgroup> 201 </table> 202 203 <para>If a service provides rate limits for itself through 204 <varname>LogRateLimitIntervalSec=</varname> and/or <varname>LogRateLimitBurst=</varname> 205 in <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, 206 those values will override the settings specified here.</para> 207 </listitem> 208 </varlistentry> 209 210 <varlistentry> 211 <term><varname>SystemMaxUse=</varname></term> 212 <term><varname>SystemKeepFree=</varname></term> 213 <term><varname>SystemMaxFileSize=</varname></term> 214 <term><varname>SystemMaxFiles=</varname></term> 215 <term><varname>RuntimeMaxUse=</varname></term> 216 <term><varname>RuntimeKeepFree=</varname></term> 217 <term><varname>RuntimeMaxFileSize=</varname></term> 218 <term><varname>RuntimeMaxFiles=</varname></term> 219 220 <listitem><para>Enforce size limits on the journal files 221 stored. The options prefixed with <literal>System</literal> 222 apply to the journal files when stored on a persistent file 223 system, more specifically 224 <filename>/var/log/journal</filename>. The options prefixed 225 with <literal>Runtime</literal> apply to the journal files 226 when stored on a volatile in-memory file system, more 227 specifically <filename>/run/log/journal</filename>. The former 228 is used only when <filename>/var/</filename> is mounted, 229 writable, and the directory 230 <filename>/var/log/journal</filename> exists. Otherwise, only 231 the latter applies. Note that this means that during early 232 boot and if the administrator disabled persistent logging, 233 only the latter options apply, while the former apply if 234 persistent logging is enabled and the system is fully booted 235 up. <command>journalctl</command> and 236 <command>systemd-journald</command> ignore all files with 237 names not ending with <literal>.journal</literal> or 238 <literal>.journal~</literal>, so only such files, located in 239 the appropriate directories, are taken into account when 240 calculating current disk usage.</para> 241 242 <para><varname>SystemMaxUse=</varname> and 243 <varname>RuntimeMaxUse=</varname> control how much disk space 244 the journal may use up at most. 245 <varname>SystemKeepFree=</varname> and 246 <varname>RuntimeKeepFree=</varname> control how much disk 247 space systemd-journald shall leave free for other uses. 248 <command>systemd-journald</command> will respect both limits 249 and use the smaller of the two values.</para> 250 251 <para>The first pair defaults to 10% and the second to 15% of 252 the size of the respective file system, but each value is 253 capped to 4G. If the file system is nearly full and either 254 <varname>SystemKeepFree=</varname> or 255 <varname>RuntimeKeepFree=</varname> are violated when 256 systemd-journald is started, the limit will be raised to the 257 percentage that is actually free. This means that if there was 258 enough free space before and journal files were created, and 259 subsequently something else causes the file system to fill up, 260 journald will stop using more space, but it will not be 261 removing existing files to reduce the footprint again, 262 either. Also note that only archived files are deleted to reduce the 263 space occupied by journal files. This means that, in effect, there might 264 still be more space used than <varname>SystemMaxUse=</varname> or 265 <varname>RuntimeMaxUse=</varname> limit after a vacuuming operation is 266 complete.</para> 267 268 <para><varname>SystemMaxFileSize=</varname> and 269 <varname>RuntimeMaxFileSize=</varname> control how large 270 individual journal files may grow at most. This influences 271 the granularity in which disk space is made available through 272 rotation, i.e. deletion of historic data. Defaults to one 273 eighth of the values configured with 274 <varname>SystemMaxUse=</varname> and 275 <varname>RuntimeMaxUse=</varname>, so that usually seven 276 rotated journal files are kept as history.</para> 277 278 <para>Specify values in bytes or use K, M, G, T, P, E as 279 units for the specified sizes (equal to 1024, 1024², … bytes). 280 Note that size limits are enforced synchronously when journal 281 files are extended, and no explicit rotation step triggered by 282 time is needed.</para> 283 284 <para><varname>SystemMaxFiles=</varname> and 285 <varname>RuntimeMaxFiles=</varname> control how many 286 individual journal files to keep at most. Note that only 287 archived files are deleted to reduce the number of files until 288 this limit is reached; active files will stay around. This 289 means that, in effect, there might still be more journal files 290 around in total than this limit after a vacuuming operation is 291 complete. This setting defaults to 100.</para></listitem> 292 </varlistentry> 293 294 <varlistentry> 295 <term><varname>MaxFileSec=</varname></term> 296 297 <listitem><para>The maximum time to store entries in a single 298 journal file before rotating to the next one. Normally, 299 time-based rotation should not be required as size-based 300 rotation with options such as 301 <varname>SystemMaxFileSize=</varname> should be sufficient to 302 ensure that journal files do not grow without bounds. However, 303 to ensure that not too much data is lost at once when old 304 journal files are deleted, it might make sense to change this 305 value from the default of one month. Set to 0 to turn off this 306 feature. This setting takes time values which may be suffixed 307 with the units <literal>year</literal>, 308 <literal>month</literal>, <literal>week</literal>, 309 <literal>day</literal>, <literal>h</literal> or 310 <literal>m</literal> to override the default time unit of 311 seconds.</para></listitem> 312 </varlistentry> 313 314 <varlistentry> 315 <term><varname>MaxRetentionSec=</varname></term> 316 317 <listitem><para>The maximum time to store journal entries. 318 This controls whether journal files containing entries older 319 than the specified time span are deleted. Normally, time-based 320 deletion of old journal files should not be required as 321 size-based deletion with options such as 322 <varname>SystemMaxUse=</varname> should be sufficient to 323 ensure that journal files do not grow without bounds. However, 324 to enforce data retention policies, it might make sense to 325 change this value from the default of 0 (which turns off this 326 feature). This setting also takes time values which may be 327 suffixed with the units <literal>year</literal>, 328 <literal>month</literal>, <literal>week</literal>, 329 <literal>day</literal>, <literal>h</literal> or <literal> 330 m</literal> to override the default time unit of 331 seconds.</para></listitem> 332 </varlistentry> 333 334 <varlistentry> 335 <term><varname>SyncIntervalSec=</varname></term> 336 337 <listitem><para>The timeout before synchronizing journal files 338 to disk. After syncing, journal files are placed in the 339 OFFLINE state. Note that syncing is unconditionally done 340 immediately after a log message of priority CRIT, ALERT or 341 EMERG has been logged. This setting hence applies only to 342 messages of the levels ERR, WARNING, NOTICE, INFO, DEBUG. The 343 default timeout is 5 minutes. </para></listitem> 344 </varlistentry> 345 346 <varlistentry> 347 <term><varname>ForwardToSyslog=</varname></term> 348 <term><varname>ForwardToKMsg=</varname></term> 349 <term><varname>ForwardToConsole=</varname></term> 350 <term><varname>ForwardToWall=</varname></term> 351 352 <listitem><para>Control whether log messages received by the journal daemon shall be forwarded to a 353 traditional syslog daemon, to the kernel log buffer (kmsg), to the system console, or sent as wall 354 messages to all logged-in users. These options take boolean arguments. If forwarding to syslog is 355 enabled but nothing reads messages from the socket, forwarding to syslog has no effect. By default, 356 only forwarding to wall is enabled. These settings may be overridden at boot time with the kernel 357 command line options <literal>systemd.journald.forward_to_syslog</literal>, 358 <literal>systemd.journald.forward_to_kmsg</literal>, 359 <literal>systemd.journald.forward_to_console</literal>, and 360 <literal>systemd.journald.forward_to_wall</literal>. If the option name is specified without 361 <literal>=</literal> and the following argument, true is assumed. Otherwise, the argument is parsed 362 as a boolean.</para> 363 364 <para>When forwarding to the console, the TTY to log to can be changed with 365 <varname>TTYPath=</varname>, described below.</para> 366 367 <para>When forwarding to the kernel log buffer (kmsg), make sure to select a suitably large size for 368 the log buffer, for example by adding <literal>log_buf_len=8M</literal> to the kernel command line. 369 <command>systemd</command> will automatically disable kernel's rate-limiting applied to userspace 370 processes (equivalent to setting <literal>printk.devkmsg=on</literal>).</para></listitem> 371 </varlistentry> 372 373 <varlistentry> 374 <term><varname>MaxLevelStore=</varname></term> 375 <term><varname>MaxLevelSyslog=</varname></term> 376 <term><varname>MaxLevelKMsg=</varname></term> 377 <term><varname>MaxLevelConsole=</varname></term> 378 <term><varname>MaxLevelWall=</varname></term> 379 380 <listitem><para>Controls the maximum log level of messages 381 that are stored in the journal, forwarded to syslog, kmsg, the 382 console or wall (if that is enabled, see above). As argument, 383 takes one of 384 <literal>emerg</literal>, 385 <literal>alert</literal>, 386 <literal>crit</literal>, 387 <literal>err</literal>, 388 <literal>warning</literal>, 389 <literal>notice</literal>, 390 <literal>info</literal>, 391 <literal>debug</literal>, 392 or integer values in the range of 0–7 (corresponding to the 393 same levels). Messages equal or below the log level specified 394 are stored/forwarded, messages above are dropped. Defaults to 395 <literal>debug</literal> for <varname>MaxLevelStore=</varname> 396 and <varname>MaxLevelSyslog=</varname>, to ensure that the all 397 messages are stored in the journal and forwarded to syslog. 398 Defaults to 399 <literal>notice</literal> for <varname>MaxLevelKMsg=</varname>, 400 <literal>info</literal> for <varname>MaxLevelConsole=</varname>, 401 and <literal>emerg</literal> for 402 <varname>MaxLevelWall=</varname>. These settings may be 403 overridden at boot time with the kernel command line options 404 <literal>systemd.journald.max_level_store=</literal>, 405 <literal>systemd.journald.max_level_syslog=</literal>, 406 <literal>systemd.journald.max_level_kmsg=</literal>, 407 <literal>systemd.journald.max_level_console=</literal>, 408 <literal>systemd.journald.max_level_wall=</literal>.</para> 409 </listitem> 410 </varlistentry> 411 412 <varlistentry> 413 <term><varname>ReadKMsg=</varname></term> 414 415 <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> processes 416 <filename>/dev/kmsg</filename> messages generated by the kernel. In the default journal namespace 417 this option is enabled by default, it is disabled in all others.</para></listitem> 418 </varlistentry> 419 420 <varlistentry> 421 <term><varname>Audit=</varname></term> 422 423 <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on 424 kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor 425 disable it, leaving the previous state unchanged. Note that this option does not control whether 426 <command>systemd-journald</command> collects generated audit records, it just controls whether it 427 tells the kernel to generate them. This means if another tool turns on auditing even if 428 <command>systemd-journald</command> left it off, it will still collect the generated 429 messages. Defaults to on.</para></listitem> 430 </varlistentry> 431 432 <varlistentry> 433 <term><varname>TTYPath=</varname></term> 434 435 <listitem><para>Change the console TTY to use if 436 <varname>ForwardToConsole=yes</varname> is used. Defaults to 437 <filename>/dev/console</filename>.</para></listitem> 438 </varlistentry> 439 440 <varlistentry> 441 <term><varname>LineMax=</varname></term> 442 443 <listitem><para>The maximum line length to permit when converting stream logs into record logs. When a systemd 444 unit's standard output/error are connected to the journal via a stream socket, the data read is split into 445 individual log records at newline (<literal>\n</literal>, ASCII 10) and <constant>NUL</constant> characters. If no such delimiter is 446 read for the specified number of bytes a hard log record boundary is artificially inserted, breaking up overly 447 long lines into multiple log records. Selecting overly large values increases the possible memory usage of the 448 Journal daemon for each stream client, as in the worst case the journal daemon needs to buffer the specified 449 number of bytes in memory before it can flush a new log record to disk. Also note that permitting overly large 450 line maximum line lengths affects compatibility with traditional log protocols as log records might not fit 451 anymore into a single <constant>AF_UNIX</constant> or <constant>AF_INET</constant> datagram. Takes a size in 452 bytes. If the value is suffixed with K, M, G or T, the specified size is parsed as Kilobytes, Megabytes, 453 Gigabytes, or Terabytes (with the base 1024), respectively. Defaults to 48K, which is relatively large but 454 still small enough so that log records likely fit into network datagrams along with extra room for 455 metadata. Note that values below 79 are not accepted and will be bumped to 79.</para></listitem> 456 </varlistentry> 457 458 </variablelist> 459 460 </refsect1> 461 462 <refsect1> 463 <title>Forwarding to traditional syslog daemons</title> 464 465 <para> 466 Journal events can be transferred to a different logging daemon 467 in two different ways. With the first method, messages are 468 immediately forwarded to a socket 469 (<filename>/run/systemd/journal/syslog</filename>), where the 470 traditional syslog daemon can read them. This method is 471 controlled by the <varname>ForwardToSyslog=</varname> option. With a 472 second method, a syslog daemon behaves like a normal journal 473 client, and reads messages from the journal files, similarly to 474 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>. 475 With this, messages do not have to be read immediately, 476 which allows a logging daemon which is only started late in boot 477 to access all messages since the start of the system. In 478 addition, full structured meta-data is available to it. This 479 method of course is available only if the messages are stored in 480 a journal file at all. So it will not work if 481 <varname>Storage=none</varname> is set. It should be noted that 482 usually the <emphasis>second</emphasis> method is used by syslog 483 daemons, so the <varname>Storage=</varname> option, and not the 484 <varname>ForwardToSyslog=</varname> option, is relevant for them. 485 </para> 486 </refsect1> 487 488 <refsect1> 489 <title>See Also</title> 490 <para> 491 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 492 <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, 493 <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>, 494 <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>, 495 <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> 496 </para> 497 </refsect1> 498 499</refentry> 500