Logging (Events) in Linux

/var/log/kern.log and /var/log/syslog Keep Growing

It's /var/log/kern.log and /var/log/syslog that are responsible for root partition bloat.

I run:

sudo systemctl stop syslog

This fixes the issue for the time being.

Or even

sudo systemctl disable syslog

A Short Method

Create a sh file eg. refresh.sh and save the following code:

echo "" > /var/log/kern.log
echo "" > /var/log/syslog
service syslog restart
journalctl --vacuum-size=50M

Run it as root eg. sudo sh refresh.sh

It will clear the logs from

  • /var/log/syslog
  • /var/log/kern.log
  • /run/log/journal

Safer Log Bloat Fix

Instead, here is a safer method that lets you keep the log files while reclaiming disk space while also stopping the log files from doing this again.

  1. Safely clear the logs: after looking at (or backing up) the logs to identify your system's problem, clear them by typing > /var/log/syslog (including the >). You may need to be root user for this, in which case enter sudo su, your password, and then the above command).
  2. Then restart the syslog service (either systemctl restart syslog or service syslog restart).

  3. Then, you can force the logs to rotate and delete automatically if they reach a certain size, using logrotate. In this case you can edit the config (/etc/logrotate.d/rsyslog= and add one line:

    /var/log/syslog
{
    rotate 7
    daily
    maxsize 1G # add this line
    missingok
    notifempty
    delaycompress
    compress
    postrotate
        /usr/lib/rsyslog/rsyslog-rotate
    endscript
}

    This will force your syslog to "rotate" (i.e., create a new log file and archive the previous log file) after either 1 day or when the file becomes 1GB, whichever comes first. Note that rotate 7 means your system will only keep 7 total syslog backups so it can only ever take up 7GB of space

    Note: you can change maxsize, rotate N, and other settings to customize your logs -- use the command man logrotate to see more.

  4. While you're at it, you may want to add the same setting in the second part of the file, which governs the behavior of other log files (e.g. kern.log for kernel events, auth.log for authentication events, etc.). This setting will make it so that each of these other log files will only take 4GB in total.:

    ...
{
    rotate 4
    weekly
    maxsize 1G
...
}

    This will allow your system to keep logging events without them filling your disk.