<para>These files configure various parameters of the systemd journal service,
<citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
See
- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for a general description of the syntax.</para>
<para>The <command>systemd-journald</command> instance managing the default namespace is configured by
<title>Options</title>
<para>All options are configured in the
- <literal>[Journal]</literal> section:</para>
+ [Journal] section:</para>
<variablelist class='config-directives'>
<literal>persistent</literal>, data will be stored preferably on disk, i.e. below the
<filename>/var/log/journal</filename> hierarchy (which is created if needed), with a fallback to
<filename>/run/log/journal</filename> (which is created if needed), during early boot and if the disk
- is not writable. <literal>auto</literal> is similar to <literal>persistent</literal> but the
- directory <filename>/var/log/journal</filename> is not created if needed, so that its existence
- controls where log data goes. <literal>none</literal> turns off all storage, all log data received
- will be dropped. Forwarding to other targets, such as the console, the kernel log buffer, or a syslog
- socket will still work however. Defaults to <literal>auto</literal> in the default journal namespace,
- and <literal>persistent</literal> in all others.</para></listitem>
+ is not writable. <literal>auto</literal> behaves like <literal>persistent</literal> if the
+ <filename>/var/log/journal</filename> directory exists, and <literal>volatile</literal> otherwise
+ (the existence of the directory controls the storage mode). <literal>none</literal> turns off all
+ storage, all log data received will be dropped (but forwarding to other targets, such as the console,
+ the kernel log buffer, or a syslog socket will still work). Defaults to <literal>auto</literal> in
+ the default journal namespace, and <literal>persistent</literal> in all others.</para>
+
+ <para>Note that when this option is changed to <literal>volatile</literal>, existing persistent data
+ is not removed. In the other direction,
+ <citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry> with
+ the <option>--flush</option> option may be used to move volatile data to persistent storage.</para>
+ </listitem>
</varlistentry>
<varlistentry>
<literal>us</literal>. To turn off any kind of rate limiting,
set either value to 0.</para>
- <para>Note that the effective rate limit is multiplied with a
+ <para>Note that the effective rate limit is multiplied by a
factor derived from the available free disk space for the journal.
Currently, this factor is calculated using the base 2 logarithm.</para>
<varname>TTYPath=</varname>, described below.</para>
<para>When forwarding to the kernel log buffer (kmsg), make sure to select a suitably large size for
- the log buffer, and ensure the kernel's rate-limiting applied to userspace processes is turned
- off. Specifically, add <literal>log_buf_len=8M</literal> and <literal>printk.devkmsg=on</literal> (or
- similar) to the kernel command line.</para></listitem>
+ the log buffer, for example by adding <literal>log_buf_len=8M</literal> to the kernel command line.
+ <command>systemd</command> will automatically disable kernel's rate-limiting applied to userspace
+ processes (equivalent to setting <literal>printk.devkmsg=on</literal>).</para></listitem>
</varlistentry>
<varlistentry>
this option is enabled by default, it is disabled in all others.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>Audit=</varname></term>
+
+ <listitem><para>Takes a boolean value. If enabled <command>systemd-journal</command> will turn on
+ kernel auditing on start-up. If disabled it will turn it off. If unset it will neither enable nor
+ disable it, leaving the previous state unchanged. Note that this option does not control whether
+ <command>systemd-journald</command> collects generated audit records, it just controls whether it
+ tells the kernel to generate them. This means if another tool turns on auditing even if
+ <command>systemd-journald</command> left it off, it will still collect the generated
+ messages. Defaults to on.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>TTYPath=</varname></term>