Systemd journal?
When Systemd replaced traditional SysVinit scripts it introduced its own logging system called journal. Running based services such as syslog ,Rsyslog are no longer needed as all system events are written in the journal.
Journal is a component of systemd. Its full name is systemd-journald.service. It collects and stores information from different sources such as the kernel, user processes, standard input, and system service errors and loads the messages into the journal. It works the same way as Syslog but gives a more efficient way to manage logs.
With systemd journal, there is no option or reason for a traditional syslog utility like logrotate. Systemd-journald can be configured to grow its files up to a percentage of the size of the volume it’s hosted in. The daemon would then automatically delete old journal entries to keep the size below that threshold.
The main configuration file for systemd-journald is /etc/systemd/journald.conf. However, other packages can create their configuration files which can be under any of these directories with a .conf extension:
- /etc/systemd/journald.conf.d/*.conf
- /run/systemd/journald.conf.d/*.conf
- /usr/lib/systemd/journald.conf.d/*.conf
The main configuration file is read first, followed by any modified *.conf files. Custom configurations supersede the primary one.
The systemd-journald service is and should be ON by default.
Here is a look into the default configuration file.
##
#
[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
##
#
As you can see, all the parameters are commented out, meaning the values are known to systemd as default values. If any of the values need to be changed, they have to be uncommented and the systemd-journald.service restarted.
Making the Journal Persistent
The journal stores log data in /run/log/journal/ by default. Because the /run/ directory is volatile by nature, log data is lost at reboot. To make the log data persistent, the directory /var/log/journal/ must exist with correct ownership and permissions so the systemd-journald service can store its data. systemd will create the directory for you—and switch to persistent logging—
Uncomment the line containing Storage= and change it to persistent
$ sudo nano /etc/systemd/journald.conf
##
#
[Journal]
#Storage=auto
#Compress=yes
#Seal=yes
#SplitMode=uid
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
#SystemMaxUse=
##
#
See the official journald.conf documentation for a complete list of arguments.
- "persistent": Journal data is saved persistently on disk under the /var/log/journal directory. The directory will be created if it does not exist. If the disk volume is not accessible or writable, the files will be created under /run/log/journal.
- "auto": The storage mode is like persistent—data will be written to disk; however, if the /var/log/journal directory does not exist, it will be created under /run/log/journal.
Changing the Journal Size Limit
If the journal log data is set to persistent, it will use up to 10% of the file system the /var/log/journal resides on. For instance if /var/log/journal is located on a 50 GB /var partition, the journal may use up to 5 GB of the disk space.
To change this limit, change (and uncomment) the SystemMaxUse option.
Below it has been set to 500M.
##
#
SystemMaxUse=500M
#
#
Forwarding the Journal to /dev/ttyX
You can even forward the journal to a terminal device to inform you about system messages on a preferred terminal screen. When forwarding to the console, the TTY to log to can be changed with TTYPath=
##
#
ForwardToConsole=yes
TTYPath=/dev/tty4
##
#That's a wrap!!!
We hope you have found this post as useful and informative as we do.
Keep on learning and sharing knowledge.