How can I free space from a massive 39.5GB /var/log/ folder?
I just got a message from the default disk analyses software (Baobab)
that I only have 1GB left on the hard drive. After some search, I found that the /var/log/
folder is the cause of this.
Some file/sizes in /var/log/
:
- kern.log = 12.6 GB
- ufw.log = 12.5 GB
- kern.log.1 = 6.1 GB
- ufw.log.1 = 6.0 GB
Et cetera et cetera. /var/log
is huge.
Can I delete those files or the entire /var/log
folder? Or is that a BIG NO NO in Ubuntu?
Solution 1:
You must not remove the entire folder but you can remove "Old-Packed" log files without harming your system.
For a typical home user, it's safe to remove any log file that is compressed and has a .gz extension (as you can see in the picture).
These compressed log files are old logs that are gzipped to reduce storage space, and as an average user, you don't need them.
Solution 2:
I wouldn't delete the entire /var/log folder - that will break things.
You could just destroy the logs as @jrg suggests - but unless the things writing to the log files (mostly syslogd) are restarted that won't actually regain you any disk space, as the files will continue to exist in a deleted state until the filehandles are closed.
Better would be to find out why the logs aren't being rotated (and later deleted). logrotate is supposed to do this for you, and I suspect it's not being run each night as it should.
First thing I would do would be:
sudo /etc/cron.daily/logrotate
This should rotate the log files (so kern.log becomes kern.log.1); and you can then delete kern.log.1 etc to free up the disk space.
If everything is good so far, the next question is why this isn't happening automatically. If you turn your computer off at night, make sure you have anacron installed.
Solution 3:
You should look at the logs and see what is getting written to them. My guess is ufw/iptables (you are logging all network traffic).
ufw - when you log all packets, you will get large logs. If you are not going to review the logs, turn logging off. If you wish to monitor your network, use snort. Snort will filter through the thousands of packets you receive and alert you to potentially problematic traffic.
My guess it that ufw is the culprit and you are getting a large log in kern.log because you are logging packets there as well.
Sometimes there is a kernel or hardware problem that fills the logs. In that event it is best to fix the problem or file a bug, you will need to review the logs to do that.
If you can not fix the problem, you can configure syslog to as to not fill your logs.
See http://manpages.ubuntu.com/manpages/precise/man5/syslog.conf.5.html
If you provide more details on the problem we can help debug it better.
Solution 4:
DISCLAIMER: I am not an expert on this, use at own risk!
After finding that my /var/log/journal
folder was taking several GB, I followed:
https://ma.ttias.be/clear-systemd-journal/
journalctl --vacuum-time=10d
which cleared 90%+ of it
Solution 5:
Deleting /var/log
is probably a bad idea, but deleting the individual logfiles should be OK.
On my laptop, with a smallish SSD disk, I set up /var/log
(and /tmp
and /var/tmp
) as tmpfs
mount points, by adding the following lines to /etc/fstab
:
temp /tmp tmpfs rw,mode=1777 0 0
vartmp /var/tmp tmpfs rw,mode=1777 0 0
varlog /var/log tmpfs rw,mode=1777 0 0
This means that nothing in those directories survives a reboot. As far as I can tell, this setup works just fine. Of course, I lose the ability to look at old logs to diagnose any problems that might occur, but I consider that a fair tradeoff for the reduced disk usage.
The only problem I've had is that some programs (most notably APT) want to write their logs into subdirectories of /var/log
and aren't smart enough to create those directories if they don't exist. Adding the line mkdir /var/log/apt
into /etc/rc.local
fixed that particular problem for me; depending on just what software you have installed, you may need to create some other directories too.
(Another possibility would be to create a simple tar
archive containing just the directories, and to untar it into /var/log
at startup to create all the needed directories and set their permissions all at once.)