Very large log files, what should I do?

Simply delete these files and then reboot?

No. Empty them but do not use rm because it could end up crashing something while you are typing the touch command to recreate it.

Shortest method:

cd /var/log
sudo su
> lastlog
> wtmp
> dpkg.log 
> kern.log
> syslog
exit

If not root it will require sudo. Taken from another answer on AU.

BEFORE YOU DO THAT. Do a tail {logfile} and check if there is a reason for them to be so big. Unless this system is several years old there should be no reason for this and fixing the problem is better than letting this go on.

Both kern.log and syslog should normally not be that big. But like I said: if this system is up and running for years and years it might be normal and the files just need to be cleared.

And to prevent it to become that big in the future: setup logrotate. It is pretty straightforward and will compress the logfile when it becomes bigger then a size you set it to.


1 other thing: if you do not want to delete the contents you can compress the files by tarring or gzipping them. That will have you end up with files probably 10% of what they are now. That is if there is still room on the disk to do that.


It's probably worth trying to establish what is filling the log(s) - either by simply examining them visually using the less or tail command

tail -n 100 /var/log/syslog

or if the offending lines are too deeply buried to easily see what's occuring, something like

for log in /var/log/{dmesg,syslog,kern.log}; do 
  echo "${log} :"
  sed -e 's/\[[^]]\+\]//' -e 's/.*[0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\}//' ${log} \
  | sort | uniq -c | sort -hr | head -10
done

(note: this may take some time, given such large files) which will attempt to strip off the timestamps and then count the most frequently occurring messages.


My method for clean system log files is this. Steps 1 and 2 are optional, but sometimes you need check older logs and backup is sometimes useful. ;-)

  1. Optional: Copy log file

    cp -av --backup=numbered file.log file.log.old
    
  2. Optional: Use Gzip on copy of log

    gzip file.log.old
    
  3. Use /dev/null for clean file

    cat /dev/null > file.log
    

And we use for this logs (only on several servers) logrotate and weekly execute by cron script which all files with *.1 (or next rotated) compress by gzip.


I installed Ubuntu 16.04 today and I noticed the same problem. However, I fixed this with busybox-syslogd. Yup! I've Just installed that package and problem has been solved. :)

$ sudo apt-get install busybox-syslogd

After installing that package, reset syslog and kern.log:

sudo tee /var/log/syslog /var/log/kern.log </dev/null

I hope this simple solution is useful to other people around.