1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-05 06:52:22 +03:00
systemd/man/systemd-journald.service.xml
Lennart Poettering a24c64f03f journald: introduce new "systemd-journal" group and make it own the journal files
Previously all journal files were owned by "adm". In order to allow
specific users to read the journal files without granting it access to
the full "adm" powers, introduce a new specific group for this.

"systemd-journal" has to be created by the packaging scripts manually at
installation time. It's a good idea to assign a static UID/GID to this
group, since /var/log/journal might be shared across machines via NFS.

This commit also grants read access to the journal files by default to
members of the "wheel" and "adm" groups via file system ACLs, since
these "almost-root" groups should be able to see what's going on on the
system. These ACLs are created by "make install". Packagers probably
need to duplicate this logic in their postinst scripts.

This also adds documentation how to grant access to the journal to
additional users or groups via fs ACLs.
2013-03-05 18:59:03 +01:00

207 lines
9.4 KiB
XML

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
This file is part of systemd.
Copyright 2010 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="systemd-journald.service">
<refentryinfo>
<title>systemd-journald.service</title>
<productname>systemd</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Lennart</firstname>
<surname>Poettering</surname>
<email>lennart@poettering.net</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>systemd-journald.service</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>systemd-journald.service</refname>
<refname>systemd-journald.socket</refname>
<refname>systemd-journald</refname>
<refpurpose>Journal service</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>systemd-journald.service</filename></para>
<para><filename>systemd-journald.socket</filename></para>
<para><filename>/usr/lib/systemd/systemd-journald</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><filename>systemd-journald</filename> is a
system service that collects and stores logging
data. It creates and maintains structured, indexed
journals based on logging information that is received
from the kernel, from user processes via the libc
<citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>
call, from STDOUT/STDERR of system services or via its
native API. It will implicitly collect numerous meta
data fields for each log messages in a secure and
unfakeable way. See
<citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>
for more information about the collected meta data.
</para>
<para>Log data collected by the journal is primarily
text based but can also include binary data where
necessary. All objects stored in the journal can be up
to 2^64-1 bytes in size.</para>
<para>By default the journal stores log data in
<filename>/run/log/journal/</filename>. Since
<filename>/run/</filename> is volatile log data is
lost at reboot. To make the data persistent it
is sufficient to create
<filename>/var/log/journal/</filename> where
<filename>systemd-journald</filename> will then store
the data.</para>
<para><filename>systemd-journald</filename> will
forward all received log messages to the AF_UNIX
SOCK_DGRAM socket
<filename>/run/systemd/journal/syslog</filename> (if it exists) which
may be used by UNIX syslog daemons to process the data
further.</para>
<para>See
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for information about the configuration of this
service.</para>
</refsect1>
<refsect1>
<title>Signals</title>
<variablelist>
<varlistentry>
<term>SIGUSR1</term>
<listitem><para>Request that journal
data from <filename>/run/</filename>
is flushed to
<filename>/var/</filename> in order to
make it persistent (if this is
enabled). This may be used after
<filename>/var/</filename> is mounted,
but is generally not required since
the first journal write when
<filename>/var/</filename> becomes
writable triggers the flushing
anyway.</para></listitem>
</varlistentry>
<varlistentry>
<term>SIGUSR2</term>
<listitem><para>Request immediate
rotation of the journal
files.</para></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Kernel Command Line</title>
<para>A few configuration parameters from
<filename>journald.conf</filename> may be overridden on
the kernel command line:</para>
<variablelist class='kernel-commandline-options'>
<varlistentry>
<term><varname>systemd.journald.forward_to_syslog=</varname></term>
<term><varname>systemd.journald.forward_to_kmsg=</varname></term>
<term><varname>systemd.journald.forward_to_console=</varname></term>
<listitem><para>Enables/disables
forwarding of collected log messages
to syslog, the kernel log buffer or
the system console.
</para>
<para>See
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for information about these settings.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Access Control</title>
<para>Journal files are by default owned and readable
by the <literal>systemd-journal</literal> system group
(but not writable). Adding a user to this group thus
enables her/him to read the journal files.</para>
<para>By default, each logged in user will get her/his
own set of journal files in
<filename>/var/log/journal/</filename>. These files
will not be owned by the user however, in order to
avoid that the user can write to them
directly. Instead, file system ACLs are used to ensure
the user gets read access only.</para>
<para>Additional users and groups may be granted
access to journal files via file system access control
lists (ACL). Distributions and administrators may
choose to grant read access to all members of the
<literal>wheel</literal> and <literal>adm</literal>
system groups with a command such as the
following:</para>
<programlisting># setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/</programlisting>
<para>Note that this command will update the ACLs both
for existing journal files and for future journal
files created in the
<filename>/var/log/journal/</filename>
directory.</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journalctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
<citerefentry><refentrytitle>sd-journal</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
<citerefentry><refentrytitle>setfacl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>