journald is the general logging daemon that is part of systemd. Known formally as systemd-journald, it is the focal point for all system logging, apparently intercepting messages destined for rsyslog as well. Seasoned Linux administrators  might think of journald as a souped-up kernel logger, which has suddenly taken a central role as the arbiter of all system messages.

journald still passes messages on to rsyslog, both the messages that are destined for it (and come through the traditional syslog() library function) and some messages that originate in systemd itself. In particular, the systemd messages (that are logged with the tag 'systemd') are logged through the daemon facility.

The man pages on systemd are surprisingly good. The reader is referred there for complete (and up-to-date) details, and the most interesting ones are mentioned below. The remainder of this page will be an overview of my limited insight into journaling.

Persistence

Besides the new added verbosity of logging with the introduction of systemd (which is not a bad thing), the biggest change with traditional logging is log persistence. Although messages which pass through to rsyslog are still squirreled away in the appropriate files, other journald messages are kept in memory only by default (under /var/log), so they disappear at reboot. This can be changed in journald's configuration file (/etc/systemd/journald.conf) using the Storage= option (see journald.conf(5)). In a nutshell, assuming the default option is set to auto, you can force journal persistence by simply creating the directory /var/log/journal. journals are binary, however, and still must be translated to text by journalctl.

Again in journald.conf, a setting indicates how journals are split into files. By default the split is done by login, so a separate journal is created for each login. (The allocation rules for these files is very strange - they are allocated in big chunks (8MiB at a time)). Rules in journald.conf rule how much information is saved in files. I believe the default is 10% of the underlying filesystem (the /var partition if it is separated; the / partition if it is not!)

Displaying the journal

You can display the journal using journalctl. Without arguments, it displays the entire journal, from oldest to newest. Besides just grep-ing the output, here are some helpful journalctl commands

journalctl -n 40  - display the most recent 40 entries

journalctl --file=/var/log/journal/*/user-100.journal  - display the journal saved in this file

journalctl --since=time1  and/or --until=time2. See journalctl(1) for valid time formats

journalctl _SYSTEMD_UNIT=gdm.service - display the journal entries of gdm.service. In general, using the command FIELD=value will search for the indicated field and value

see systemd.journald-fields(7) for the fields you can use for searching.

journald's configuration file can be found at /etc/systemd/journald.conf