How can I free space from a massive 39.5GB /var/log/ folder?

disk-usage logging

I just got a message from the default disk analyses software (Baobab) that I only have 1GB left on the hard drive. After some search, I found that the /var/log/ folder is the cause of this.

Some file/sizes in /var/log/:

  • kern.log = 12.6 GB
  • ufw.log = 12.5 GB
  • kern.log.1 = 6.1 GB
  • ufw.log.1 = 6.0 GB

Et cetera et cetera. /var/log is huge.

Can I delete those files or the entire /var/log folder? Or is that a BIG NO NO in Ubuntu?


Solution 1:

You must not remove the entire folder but you can remove "Old-Packed" log files without harming your system.

For a typical home user, it's safe to remove any log file that is compressed and has a .gz extension (as you can see in the picture).

These compressed log files are old logs that are gzipped to reduce storage space, and as an average user, you don't need them.

Select .gz extention

Solution 2:

I wouldn't delete the entire /var/log folder - that will break things.

You could just destroy the logs as @jrg suggests - but unless the things writing to the log files (mostly syslogd) are restarted that won't actually regain you any disk space, as the files will continue to exist in a deleted state until the filehandles are closed.

Better would be to find out why the logs aren't being rotated (and later deleted). logrotate is supposed to do this for you, and I suspect it's not being run each night as it should.

First thing I would do would be:

sudo /etc/cron.daily/logrotate

This should rotate the log files (so kern.log becomes kern.log.1); and you can then delete kern.log.1 etc to free up the disk space.

If everything is good so far, the next question is why this isn't happening automatically. If you turn your computer off at night, make sure you have anacron installed.

Solution 3:

You should look at the logs and see what is getting written to them. My guess is ufw/iptables (you are logging all network traffic).

ufw - when you log all packets, you will get large logs. If you are not going to review the logs, turn logging off. If you wish to monitor your network, use snort. Snort will filter through the thousands of packets you receive and alert you to potentially problematic traffic.

My guess it that ufw is the culprit and you are getting a large log in kern.log because you are logging packets there as well.

Sometimes there is a kernel or hardware problem that fills the logs. In that event it is best to fix the problem or file a bug, you will need to review the logs to do that.

If you can not fix the problem, you can configure syslog to as to not fill your logs.

See http://manpages.ubuntu.com/manpages/precise/man5/syslog.conf.5.html

If you provide more details on the problem we can help debug it better.

Solution 4:

DISCLAIMER: I am not an expert on this, use at own risk!

After finding that my /var/log/journal folder was taking several GB, I followed:

https://ma.ttias.be/clear-systemd-journal/

journalctl --vacuum-time=10d

which cleared 90%+ of it

Solution 5:

Deleting /var/log is probably a bad idea, but deleting the individual logfiles should be OK.

On my laptop, with a smallish SSD disk, I set up /var/log (and /tmp and /var/tmp) as tmpfs mount points, by adding the following lines to /etc/fstab:

temp        /tmp        tmpfs   rw,mode=1777    0   0
vartmp      /var/tmp    tmpfs   rw,mode=1777    0   0
varlog      /var/log    tmpfs   rw,mode=1777    0   0

This means that nothing in those directories survives a reboot. As far as I can tell, this setup works just fine. Of course, I lose the ability to look at old logs to diagnose any problems that might occur, but I consider that a fair tradeoff for the reduced disk usage.

The only problem I've had is that some programs (most notably APT) want to write their logs into subdirectories of /var/log and aren't smart enough to create those directories if they don't exist. Adding the line mkdir /var/log/apt into /etc/rc.local fixed that particular problem for me; depending on just what software you have installed, you may need to create some other directories too.

(Another possibility would be to create a simple tar archive containing just the directories, and to untar it into /var/log at startup to create all the needed directories and set their permissions all at once.)

Related

How to bring back minimize and maximize buttons in Gnome 3
How to change LUKS passphrase?
Enable remote VNC from the commandline?
How to download youtube videos as a best quality audio mp3 using youtube-dl [duplicate]
How to install JDK sources?
How to find python installation directory on Ubuntu
KVM is not installed on this machine (/dev/kvm is missing)
command to check RAM slots in motherboard?
How do I make Thunderbird open links in Chromium?
How do I unmaximize full screen view in virt-manager?
Copy/paste and drag&drop not working in VMware machine with Ubuntu
How to access phpMyAdmin after installation?