1839153 Members
3135 Online
110136 Solutions
New Discussion

Re: cleaning up /var

 
Waqar Razi
Regular Advisor

cleaning up /var

I have a question about cleaning up of /var on linux. Like we trim the syslog.log and other log files in hpux and then just save the old ones in compressed form. What approach we should adopt in RHEL because in RHEL, they have /var/log/message, message1, 2, and 3. What other things can we check if we are cleaning up /var on RHEL.

8 REPLIES 8
Waqar Razi
Regular Advisor

Re: cleaning up /var

Just to add some thing to my post,

-rw-r----- 1 root root 370199688 Oct 14 11:28 messages
-rw-r----- 1 root root 785214202 Oct 11 04:07 messages.1
-rw-r----- 1 root root 790338206 Oct 4 04:07 messages.2
-rw-r----- 1 root root 790509595 Sep 27 04:07 messages.3
-rw-r----- 1 root root 790481660 Sep 20 04:07 messages.4
Ivan Ferreira
Honored Contributor

Re: cleaning up /var

In RHEL the logrotate program is used to rotate/keep versions of your file. In the logrotate.conf you can specify how much versions you want to keep, and other files to rotate.

You should also check /var/spool/ directory, there are some "spool" files like mail and printing files that should be handled. For example, if no one ever reads that root mail, you will have a big file there.

Just run du -sh * in the /var directory to identify where you get the most big directory.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
D. Jackson_1
Honored Contributor

Re: cleaning up /var

Do a du -sk /var and go from there.
Probably some stuff under /var/spool/up2date.
Runar Jørgensen
Frequent Advisor

Re: cleaning up /var

There should also be some available space occupied by the rpm database. The database can be trimmed if you know how, e.g. redundant, i.e. old, versions of packages could be removed from the database. Unfortunately, I'm not too familiar with how. But perhaps the forum can aid.

loco_vikide
Frequent Advisor

Re: cleaning up /var

Hello,

First, modify the config file /etc/logrotate.conf. Turn on "compress" feature, change "rotate" value, "minsize" value and "weekly" log rotate value to fit your needs.

Take a look at directory /var/log and decide which logs you want to trim on frequent basis. Most to all of them could be trimmed. Then add the log file entries in the config file /etc/logrotate.d/syslog

Run the find command against "/var" mount point to discover other log files that could be candidates for trimming.

Run man logrotate command for more info on logrotate function.

Cheers.


Ralph Grothe
Honored Contributor

Re: cleaning up /var

Like Ivan mentioned,
almost any Linux distro today uses the logrotate program for rotation of most of the log files on their system (of which most will be found in subdirs named according to their services beneath /var/log)

Especially, on RHEL systems you have the main configuration in /etc/logrotate.conf which merely is a stub for global settings and the wtmp file.

Here, for instance is mine, which is almost the original as installed (except for the tabooext entries)

# grep ^[^#] /etc/logrotate.conf
weekly
rotate 4
create
tabooext + .dormant .deferred .stalled
include /etc/logrotate.d
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}


As you can see, it globally defines to keep 4 rotated generations of log files (unless overridden in a later curly bracketed section.
Also note that this global config includes all files that don't end in tabooext suffixes from the directory /etc/logrotate.d,
and this is the place where you will find more specific definitions for most of the services that keep log files.
For instance, the messages file's rotation is defined in /etc/logrotate.d/syslog

# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

As you can see, all the files listed to the left of the opening curly bracket will be affected by what follows in the block.

If you wish to have your rotate log files to be compressed just place the "compress" keyword in the block, and if you want to keep fewer than 4 generations insert an e.g. "rotate 2" there (rotate 0 would keep no old copies)
As you can see from the timestamps of your rotate logs the global default of "weekly" rotations applies.
If you require more frequent rotations put the "daily" keyword in the syslog's config block.

There are lots of further keywords that influence the rotation scheme.
Please consult "man logrotate".

The execution of logrotate is controlled by cron.
In the system's main crontab you will find these entries

# grep run-parts /etc/crontab
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly


of which /etc/cron.daily/logrotate eventually executes the logrotate command on a daily basis


# cat /etc/cron.daily/logrotate
#!/bin/sh

/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
/usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0


After your changes to any of the logrotate config files you ought to run a pre-flight check by issuing e.g.

# /usr/sbin/logrotate -d /etc/logrotate.conf

The debug option will only examine which files would be due to a be rotated and print what it would do but actually wouldn't touch any of the files.

Madness, thy name is system administration
d_allen111
Advisor

Re: cleaning up /var

Ralph - Would you please show an example how you would add the "compress" and "Daily" within the block in syslog you've mentioned??

I am very interested in learning more on how we can rotate these log files and compressed them as needed.

Thanks,

David


cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}

Johnson Punniyalingam
Honored Contributor

Re: cleaning up /var

Hi Waqar Razi,

Can you Check "MS Power point" attachment file

which has been created by "Dusan Baljevic
"

which give better picture how to maintain System Logs

Thanks,
Johnson
Problems are common to all, but attitude makes the difference