Descriptionsystemd-journald is a
- system service that collects and stores logging
- data. It creates and maintains structured, indexed
- journals based on logging information that is received
- from the kernel, from user processes via the libc
- syslog3
- call, from STDOUT/STDERR of system services or via its
- native API. It will implicitly collect numerous meta
- data fields for each log messages in a secure and
+ system service that collects and stores logging data.
+ It creates and maintains structured, indexed journals
+ based on logging information that is received from a
+ variety of sources:
+
+
+ Kernel log messages, via kmsg
+
+ Simple system log messages, via the
+ libc syslog3
+ call
+
+ Structured system log messages via the
+ native Journal API, see
+ sd_journal_print4
+
+ Standard output and
+ standard error of system
+ services
+
+ Audit records, via the audit subsystem
+
+
+ The daemon will implicitly collect numerous
+ metadata fields for each log messages in a secure and
unfakeable way. See
systemd.journal-fields7
- for more information about the collected meta data.
+ for more information about the collected metadata.
Log data collected by the journal is primarily
- text based but can also include binary data where
+ text-based but can also include binary data where
necessary. All objects stored in the journal can be up
to 2^64-1 bytes in size.
- By default the journal stores log data in
+ By default, the journal stores log data in
/run/log/journal/. Since
- /run/ is volatile log data is
- lost at reboot. To make the data persistent it
+ /run/ is volatile, log data is
+ lost at reboot. To make the data persistent, it
is sufficient to create
/var/log/journal/ where
systemd-journald will then store
the data.systemd-journald will
- forward all received log messages to the AF_UNIX
- SOCK_DGRAM socket
- /run/systemd/journal/syslog (if it exists) which
- may be used by UNIX syslog daemons to process the data
+ forward all received log messages to the AF_UNIX/SOCK_DGRAM socket
+ /run/systemd/journal/syslog, if it exists, which
+ may be used by Unix syslog daemons to process the data
further.See
@@ -111,13 +130,13 @@
is flushed to
/var/ in order to
make it persistent (if this is
- enabled). This may be used after
+ enabled). This must be used after
/var/ is mounted,
- but is generally not required since
- the first journal write when
- /var/ becomes
- writable triggers the flushing
- anyway.
+ as otherwise log data from
+ /run is never
+ flushed to /var
+ regardless of the
+ configuration.
@@ -137,16 +156,17 @@
journald.conf may be overridden on
the kernel command line:
-
+ systemd.journald.forward_to_syslog=systemd.journald.forward_to_kmsg=systemd.journald.forward_to_console=
+ systemd.journald.forward_to_wall=Enables/disables
forwarding of collected log messages
- to syslog, the kernel log buffer or
- the system console.
+ to syslog, the kernel log buffer, the
+ system console or wall.
See
@@ -158,6 +178,84 @@
+
+ Access Control
+
+ Journal files are, by default, owned and readable
+ by the systemd-journal system group
+ but are not writable. Adding a user to this group thus
+ enables her/him to read the journal files.
+
+ By default, each logged in user will get her/his
+ own set of journal files in
+ /var/log/journal/. These files
+ will not be owned by the user, however, in order to
+ avoid that the user can write to them
+ directly. Instead, file system ACLs are used to ensure
+ the user gets read access only.
+
+ Additional users and groups may be granted
+ access to journal files via file system access control
+ lists (ACL). Distributions and administrators may
+ choose to grant read access to all members of the
+ wheel and adm
+ system groups with a command such as the
+ following:
+
+ # setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
+
+ Note that this command will update the ACLs both
+ for existing journal files and for future journal
+ files created in the
+ /var/log/journal/
+ directory.
+
+
+
+ Files
+
+
+
+ /etc/systemd/journald.conf
+
+ Configure
+ systemd-journald
+ behaviour. See
+ journald.conf5.
+
+
+
+
+ /run/log/journal/machine-id/*.journal
+ /run/log/journal/machine-id/*.journal~
+ /var/log/journal/machine-id/*.journal
+ /var/log/journal/machine-id/*.journal~
+
+ systemd-journald
+ writes entries to files in
+ /run/log/journal/machine-id/
+ or
+ /var/log/journal/machine-id/
+ with the .journal
+ suffix. If the daemon is stopped
+ uncleanly, or if the files are found
+ to be corrupted, they are renamed
+ using the .journal~
+ suffix, and
+ systemd-journald
+ starts writing to a new
+ file. /run is
+ used when
+ /var/log/journal
+ is not available, or when
+ is
+ set in the
+ journald.conf5
+ configuration file.
+
+
+
+ See Also
@@ -166,7 +264,11 @@
journalctl1,
journald.conf5,
systemd.journal-fields7,
- sd-journal3
+ sd-journal3,
+ systemd-coredump8,
+ setfacl1,
+ sd_journal_print4,
+ pydoc systemd.journal.