Fix log file taking up all Linux drive space

Although Linux systems are notoriously compact, you may find that your disk space is suddenly running low. Why does this happen? The clue and possibly the biggest culprit will be found in your Linux system logs.

Why do logs take up so much disk space?

Logs are an important part of managing your Linux system. You can see what's going on with your machine, and you can also fix problems that arise. Linux logging daemons are similar to Event Viewer on Windows. Diaries usually don't take up much space. This is because most distributions automatically manage the amount of space they take up on your drive.

Linux logs used to be plain text files, but with many major distributions switching to systemd, they are binary files managed by journald, a systemd service. Additionally, your distribution will use rsyslog or syslog-ng.

Because old logs are no longer relevant and large archives can take up space, your system will often "cycle" them - archive, compress and finally delete them - to save disk space for the content you really want.

While you might not think logs take up much space, a malfunctioning process can fill up your logs faster than the system can cycle them.

If you check your disk space and find that you're suddenly running out of space even though you haven't downloaded any large files recently, it could be due to a problem with your Linux system logs. You'll have to figure out what's filling up your system logs and fix it.

You can check the amount of disk space you are using with the du -h command:

du -h /var/log

You'll see a list of each subfolder, along with the total space it takes up:

Fix log file taking up all Linux drive space Picture 1

Find your diary

If you use a modern Linux distribution with systemd, you will use the journalctl program to view your logs; Journald typically stores logs in the /var/log/journal or /run/log/journal directory, depending on the distribution.

Fix log file taking up all Linux drive space Picture 2

To view the log, type journald at the shell prompt. There are other useful command line options. To see boot messages, use the -b option:

journalctl -b

You can view system log messages in real time using the -f option.

If your distribution does not use systemd, you will find the logs in the /var/log directory. Even with systemd, some programs still store their logs in this directory. These are regular text files that you can examine with a utility like less.

For example, to read the system log:

less /var/log/syslog

You will see that the entire contents of the log file can contain thousands of lines:

Fix log file taking up all Linux drive space Picture 3

You can also monitor it in real time using the -f option of the tail command:

tail -f /var/log/syslog

How Linux rotates log files

Fix log file taking up all Linux drive space Picture 4

In the /var/log directory, you can see files with names ending in 'log.N.gz', where N is a number. This is a result of the system rolling over older records. Most distributions have a utility that will do this automatically, called 'logrotate'. logrotate is usually set up to run as a cron job or systemd timer.

By default, most distributions will run logrotate daily. logrotate compresses older logs using gzip, as evidenced by the '.gz' file extension. It uses a threshold, like age or file size, to do this and another threshold to delete old log files.

The default options for logrotate are sufficient for most desktop users. You can adjust logrotate behavior by editing the /etc/logrotate.conf file as a superuser, as well as editing the cron file or systemd timer file on your system, but these operations are really only relevant to the server administrator.

It's better to fix what's filling up your logs instead of editing configuration files to save disk space. If you absolutely need to change the configuration, you can read the logrotate manual page.

Which logs are safe to delete?

Fix log file taking up all Linux drive space Picture 5

If all else fails and you want to free up disk space, you can manually delete archived log files ending in '.gz' before logrotate executes. You can use rm, but you will need to run it as superuser because these files belong to the system:

sudo rm /var/syslog/syslog.*gz

This command will delete all files containing 'syslog.' and ends with 'gz.'

Warning: Always be very careful when running commands via sudo, especially destructive commands like rm!

Normally, you shouldn't delete files in system folders without fully understanding what they mean, but archived logs won't cause any problems if they're missing. However, if you encounter problems, you may need to refer to older logs.

Marvin Fry

Update 23 January 2024