Friday, May 3, 2024
Homepage · filesystem
 Popular · Latest · Hot · Upcoming
81
rated 0 times [  81] [ 0]  / answers: 1 / hits: 178083  / 3 Years ago, thu, june 24, 2021, 4:47:03

(This question deals with a similar issue, but it talks about a rotated log file.)



Today I got a system message regarding very low /var space.



As usual I executed the commands in the line of sudo apt-get clean which improved the scenario only slightly. Then I
deleted the rotated log files which again provided very little improvement.



Upon examination I find that some log files in the /var/log has grown up to be very huge ones. To be specific, ls -lSh /var/log gives,




total 28G

-rw-r----- 1 syslog            adm      14G Aug 23 21:56 kern.log

-rw-r----- 1 syslog            adm      14G Aug 23 21:56 syslog

-rw-rw-r-- 1 root              utmp    390K Aug 23 21:47 wtmp

-rw-r--r-- 1 root              root    287K Aug 23 21:42 dpkg.log

-rw-rw-r-- 1 root              utmp    287K Aug 23 20:43 lastlog



As we can see, the first two are the offending ones. I am mildly surprised why such large files have not been rotated.



So, what should I do? Simply delete these files and then reboot? Or go for some more prudent steps?



I am using Ubuntu 14.04.



UPDATE 1



To begin with, the system is only several months old. I had to install the system from scratch couple of months back after a hard disk crash.



Now, as advised in this answer,
I first checked the offending log files using tail, no surprise there. Then, for deeper inspection, I executed this script from the same answer.



for log in /var/log/{syslog,kern.log}; do 

  echo "${log} :"

  sed -e 's/[[^]]+]//' -e 's/.*[0-9]{2}:[0-9]{2}:[0-9]{2}//' ${log} 

  | sort | uniq -c | sort -hr | head -10

done


The process took several hours.
The output was in the line of,




/var/log/syslog :

71209229  Rafid-Hamiz-Dell kernel:  sda3: rw=1, want=7638104968240336200, limit=1681522688

53929977  Rafid-Hamiz-Dell kernel:  attempt to access beyond end of device

17280298  Rafid-Hamiz-Dell kernel:  attempt to access beyond end of device

   1639  Rafid-Hamiz-Dell kernel:  EXT4-fs warning (device sda3): ext4_end_bio:317: I/O error -5 writing to inode 6819258 (offset 0 size 4096 starting block 54763121030042024)

       <snipped>



/var/log/kern.log.1 :

71210257  Rafid-Hamiz-Dell kernel:  attempt to access beyond end of device

71209212  Rafid-Hamiz-Dell kernel:  sda3: rw=1, want=7638104968240336200, limit=1681522688

   1639  Rafid-Hamiz-Dell kernel:  EXT4-fs warning (device sda3): ext4_end_bio:317: I/O error -5 writing to inode 6819258 (offset 0 size 4096 starting block 954763121030042024)



(/dev/sda3 is my home directory. As we can find,




lsblk /dev/sda

NAME   MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT

sda      8:0    0 931.5G  0 disk 

├─sda1   8:1    0 122.1G  0 part /

├─sda2   8:2    0   7.6G  0 part [SWAP]

└─sda3   8:3    0 801.8G  0 part /home



Why a process will want to write beyond the limit is actually outside the scope of my comprehension. Perhaps I will want to ask a different question in this forum if this
continues even after a system update.)



Then, from this answer (you may want to check this for a deeper understanding), I
executed, 



sudo su -

> kern.log

> syslog


Now, these files have zero sizes. The system is running fine before and after a reboot.



I will watch these files (along with others) in the next few days and report back should

they behave out-of-line.



As a final note, both the offending files (kern.log and syslog), are set to be rotated, as inspection of the files (grep helped) inside
/etc/logrotate.d/ shows.



UPDATE 2



The log files are actually rotated. Looks like the large sizes were attained on a single day.


More From » filesystem
 Answers
0

Simply delete these files and then reboot?



No. Empty them but do not use rm because it could end up crashing something while you are typing the touch command to recreate it.


Shortest method:


cd /var/log

sudo su

> lastlog

> wtmp

> dpkg.log 

> kern.log

> syslog

exit

If not root it will require sudo. Taken from another answer on AU.


BEFORE YOU DO THAT. Do a tail {logfile} and check if there is a reason for them to be so big. Unless this system is several years old there should be no reason for this and fixing the problem is better than letting this go on.


Both kern.log and syslog should normally not be that big. But like I said: if this system is up and running for years and years it might be normal and the files just need to be cleared.


And to prevent it to become that big in the future: setup logrotate. It is pretty straightforward and will compress the logfile when it becomes bigger then a size you set it to.



1 other thing: if you do not want to delete the contents you can compress the files by tarring or gzipping them. That will have you end up with files probably 10% of what they are now. That is if there is still room on the disk to do that.


[#23513] Friday, June 25, 2021, 3 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
ampust
Add To Favorites
Follow
Total Points: 133
Total Questions: 109
Total Answers: 111
Location: Reunion
Member since Fri, Jul 22, 2022
2 Years ago
;