Master DevOps Tools & Best Practices - DevOps Knowledge Hub Master DevOps Tools & Best Practices - DevOps Knowledge Hub

Configuring Systemd Journal Limits: Optimizing Disk Usage and Log Rotation

Configure systemd journal size and retention limits with `journald.conf`, `journalctl`, and safe log cleanup commands.

Configuring Systemd Journal Limits: Optimizing Disk Usage and Log Rotation

System logs are useful until they quietly fill the disk. On Linux systems that use systemd, systemd-journald stores indexed logs and can enforce size and age limits so your journal keeps enough history without crowding out the rest of the system.

This guide shows where to configure systemd journal limits, how persistent and volatile storage differ, and how to verify cleanup with journalctl.

Understanding Journal Storage Modes

Before setting limits, it is essential to understand where the journal stores its logs. systemd-journald supports two primary storage modes, defined by the Storage= directive in journald.conf.

1. Volatile Storage (/run/log/journal)

Volatile storage keeps logs in a temporary filesystem, typically tmpfs or a memory-backed directory. Logs stored here are lost upon system reboot.

  • Use Case: Highly temporary logs, resource-constrained environments where persistent history is not needed.
  • Configuration: Set Storage=volatile.

2. Persistent Storage (/var/log/journal)

Persistent storage ensures logs survive system reboots, making it the standard choice for servers and production systems. The directory /var/log/journal is created if it does not already exist.

  • Use Case: Production systems requiring audit trails and historical analysis.
  • Configuration: Set Storage=persistent or Storage=auto (default, which activates persistent storage if /var/log/journal exists).

Tip: If the system is configured for Storage=auto and /var/log/journal does not exist, logs will default to volatile storage until the persistent directory is created.

The Primary Configuration File

All primary limits and behaviors for systemd-journald are controlled via the main configuration file, usually located at /etc/systemd/journald.conf.

# Edit the main configuration file
sudo nano /etc/systemd/journald.conf

To ensure future package updates do not overwrite your customizations, it is a best practice to create an override file in the directory /etc/systemd/journald.conf.d/. For example, create /etc/systemd/journald.conf.d/01-custom-limits.conf.

Implementing Size Limits for Disk Optimization

The most common method for controlling journal growth is setting maximum disk usage limits. When the specified size is exceeded, journald automatically begins deleting the oldest archived logs until the limit is met.

SystemMaxUse (The Absolute Persistent Limit)

This directive defines the maximum total disk space the persistent journal files (/var/log/journal) may occupy. This is the primary mechanism for controlling persistent disk usage.

Journal files will be rotated and cleaned up if the total size exceeds this value. Common units include K (kilobytes), M (megabytes), G (gigabytes), and T (terabytes).

Directive Description Example Value
SystemMaxUse Max size for persistent journal data. 500M or 2G

Example Configuration:

To limit persistent journal storage to a maximum of 1 Gigabyte:

[Journal]
SystemMaxUse=1G

SystemKeepFree (Disk Safety Buffer)

While SystemMaxUse sets a cap, SystemKeepFree acts as a crucial safety measure. It specifies the minimum amount of disk space that should remain free on the filesystem containing the journal files.

If the available free space drops below the SystemKeepFree value, journald will clean up logs, even if the SystemMaxUse limit has not yet been hit. This prevents log growth from completely filling the disk and halting critical system operations.

Directive Description Example Value
SystemKeepFree Minimum free space required on the journal filesystem. 10% or 4G

Best Practice: It is highly recommended to set both SystemMaxUse and SystemKeepFree. Use a percentage (%) for SystemKeepFree on large drives for better scalability.

RuntimeMaxUse (Volatile Storage Limit)

If you are using volatile storage (/run/log/journal), or if you are interested in controlling the memory/tmpfs usage even with persistent storage enabled, use RuntimeMaxUse. This controls the disk space used by volatile journal files, which are temporary and reside in memory or tmpfs.

Directive Description Example Value
RuntimeMaxUse Max size for volatile journal data. 300M

Implementing Time Limits for Log Retention

Size-based limits ensure disk space is maintained, but they do not guarantee how old the logs are. If log volume is low, logs might persist indefinitely. Time-based limits ensure logs are rotated out after a specific duration, regardless of total size.

MaxRetentionSec

This directive specifies the maximum time logs should be retained. Any logs older than this duration will be automatically purged, complementing the size limits.

Directive Description Example Value
MaxRetentionSec Maximum age of logs to keep. 30 days, 1 month, 2 weeks

Example Configuration:

To ensure logs are never older than 30 days and the total persistent storage never exceeds 5 Gigabytes:

[Journal]
Storage=persistent
SystemMaxUse=5G
SystemKeepFree=10%
MaxRetentionSec=30 days

Note: If MaxRetentionSec is set to 30 days and SystemMaxUse is set to 5G, journald will adhere to the limit that is hit first. If the 5G limit is hit in 10 days, logs older than 10 days are purged, overriding the 30-day retention policy.

Practical Steps: Applying and Verifying Configuration

1. Check Current Journal Usage

Before making changes, check the current disk usage of the journal:

journalctl --disk-usage

Example Output:

Journals take up 3.4G of disk space.

2. Configure Limits

Edit /etc/systemd/journald.conf (or your override file) and uncomment/set the desired directives. For example, to ensure 500MB max usage and 30-day retention:

[Journal]
Storage=persistent
SystemMaxUse=500M
SystemKeepFree=1G
MaxRetentionSec=30 days

3. Restart the Journal Service

For the changes to take effect, the systemd-journald service must be restarted. This does not affect active logging, but it tells the daemon to immediately apply the new size constraints and start the cleanup process.

sudo systemctl restart systemd-journald

4. Manually Force Cleanup

If disk space needs to be reclaimed immediately based on the new limits, the service restart is often sufficient. Alternatively, you can explicitly clean up files using journalctl.

To clean logs to reclaim space, leaving only the last 500MB:

sudo journalctl --vacuum-size=500M

To clean logs older than 7 days:

sudo journalctl --vacuum-time=7d

Summary of Key Directives

Directive Scope Purpose
Storage Global Defines storage location (persistent, volatile, auto).
SystemMaxUse Persistent (/var/log/journal) Absolute maximum total size for persistent logs.
SystemKeepFree Persistent (/var/log/journal) Ensures a minimum amount of free disk space remains.
RuntimeMaxUse Volatile (/run/log/journal) Absolute maximum total size for volatile (runtime) logs.
MaxRetentionSec Both Defines the maximum age for retained logs.

Takeaway

Set journal limits before logs become an outage. For most servers, use a drop-in under /etc/systemd/journald.conf.d/, set SystemMaxUse plus SystemKeepFree, add MaxRetentionSec if you have a retention target, restart systemd-journald, and confirm the result with journalctl --disk-usage.