•Kernel log messages, via kmsg
•Simple system log messages, via the libc syslog(3) call
•Structured system log messages via the native Journal API, see sd_journal_print(4)
•Standard output and standard error of service units. For further details see below.
•Audit records, originating from the kernel audit subsystemThe daemon will implicitly collect numerous metadata fields for each log messages in a secure and unfakeable way. See systemd.journal-fields(7) for more information about the collected metadata. Log data collected by the journal is primarily text-based but can also include binary data where necessary. Individual fields making up a log record stored in the journal may be up to 2^64-1 bytes in size. The journal service stores log data either persistently below /var/log/journal or in a volatile way below /run/log/journal/ (in the latter case it is lost at reboot). By default, log data is stored persistently if /var/log/journal/ exists during boot, with an implicit fallback to volatile storage otherwise. Use Storage= in journald.conf(5) to configure where log data is placed, independently of the existence of /var/log/journal/. On systems where /var/log/journal/ does not exist yet but where persistent logging is desired (and the default journald.conf is used), it is sufficient to create the directory, and ensure it has the correct access modes and ownership:
mkdir -p /var/log/journal systemd-tmpfiles --create --prefix /var/log/journal
Request that journal data from /run/ is flushed to /var/ in order to make it persistent (if this is enabled). This must be used after /var/ is mounted, as otherwise log data from /run is never flushed to /var regardless of the configuration. The journalctl --flush command uses this signal to request flushing of the journal files, and then waits for the operation to complete. See journalctl(1) for details.SIGUSR2
Request immediate rotation of the journal files. The journalctl --rotate command uses this signal to request journal file rotation.SIGRTMIN+1
Request that all unwritten log data is written to disk. The journalctl --sync command uses this signal to trigger journal synchronization, and then waits for the operation to complete.
Enables/disables forwarding of collected log messages to syslog, the kernel log buffer, the system console or wall.See journald.conf(5) for information about these settings.
# setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/
Configure systemd-journald behavior. See journald.conf(5)./run/log/journal/ machine-id/*.journal, /run/log/journal/machine-id/*.journal~, /var/log/journal/ machine-id/*.journal, /var/log/journal/ machine-id/*.journal~
systemd-journald writes entries to files in /run/log/journal/ machine-id/ or /var/log/journal/ machine-id/ with the ".journal" suffix. If the daemon is stopped uncleanly, or if the files are found to be corrupted, they are renamed using the ".journal~" suffix, and systemd-journald starts writing to a new file. /run is used when /var/log/journal is not available, or when Storage=volatile is set in the journald.conf(5) configuration file.When systemd-journald ceases writing to a journal file, it will be renamed to " firstname.lastname@example.org" (or " original-name@ suffix.journal~"). Such files are "archived" and will not be written to any more.In general, it is safe to read or copy any journal file (active or archived). journalctl(1) and the functions in the sd-journal(3) library should be able to read all entries that have been fully written.systemd-journald will automatically remove the oldest archived journal files to limit disk use. See SystemMaxUse= and related settings in journald.conf(5)./dev/kmsg, /dev/log, /run/systemd/journal/dev-log, /run/systemd/journal/socket, /run/systemd/journal/stdout
Sockets and other paths that systemd-journald will listen on that are visible in the file system. In addition to these, journald can listen for audit events using netlink.systemd(1), journalctl(1), journald.conf(5), systemd.journal-fields(7), sd-journal(3), systemd-coredump(8), setfacl(1), sd_journal_print(4), pydoc systemd.journal