6.1.1.3 Ensure journald log file rotation is configured

Information

Journald includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageably large. The file /etc/systemd/journald.conf is the configuration file used to specify how logs generated by Journald should be rotated.

By keeping the log files smaller and more manageable, a system administrator can easily archive these files to another system and spend less time looking through inordinately large log files.

Solution

Edit /etc/systemd/journald.conf or a file ending inconf the /etc/systemd/journald.conf.d/ directory. Set the following parameters in the [Journal] section to ensure logs are rotated according to site policy. The settings should be carefully understood as there are specific edge cases and prioritization of parameters.

Example Configuration

:

[Journal]
SystemMaxUse=1G
SystemKeepFree=500M
RuntimeMaxUse=200M
RuntimeKeepFree=50M
MaxFileSec=1month

Example script to create systemd drop-in configuration file:

{
a_settings=("SystemMaxUse=1G" "SystemKeepFree=500M" "RuntimeMaxUse=200M" "RuntimeKeepFree=50M" "MaxFileSec=1month")
[ ! -d /etc/systemd/journald.conf.d/ ] && mkdir /etc/systemd/journald.conf.d/
if grep -Psq -- '^h*[Journal]' /etc/systemd/journald.conf.d/60-journald.conf; then
printf '%s
' "" "${a_settings[@]}" >> /etc/systemd/journald.conf.d/60-journald.conf
else
printf '%s
' "" "[Journal]" "${a_settings[@]}" >> /etc/systemd/journald.conf.d/60-journald.conf
fi
}

Note:

- If these settings appear in a canonically later file, or later in the same file, the setting will be overwritten
- Logfile size and configuration to move logfiles to a remote log server should be accounted for when configuring these settings

Run to following command to update the parameters in the service:

# systemctl reload-or-restart systemd-journald

See Also

https://workbench.cisecurity.org/benchmarks/18959