0

So I looked and examine my disk and I figured out that my var/log/ is taking up about 100+ GB.

How would I reduce the size of my /var/log/?

Here are the results of tail -f /var/log/syslog

Mar 22 23:00:21 usr-MS-7C94 kernel: [44313.727104] audit: type=1400 audit(1647961221.527:631876): apparmor="DENIED" operation="ptrace" profile="snap.discord.discord" pid=25795 comm="Discord" requested_mask="read" denied_mask="read" peer="unconfined"

Mar 22 23:00:21 usr-MS-7C94 kernel: [44313.727085] audit: type=1400 audit(1647961221.527:631874): apparmor="DENIED" operation="open" profile="snap.discord.discord" name="/proc/2611/cmdline" pid=25795 comm="Discord" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Results of ls -alhS /var/log | more

total 59G
-rw-r-----   1 syslog            adm              46G Mar 23 19:19 kern.log
-rw-r-----   1 syslog            adm              13G Mar 23 08:04 syslog.1
-rw-r-----   1 syslog            adm             808M Mar 22 07:45 syslog.2.gz
-rw-r-----   1 syslog            adm              48M Mar 20 15:47 kern.log.1
-rw-r-----   1 syslog            adm             1.6M Mar 23 21:42 syslog

Results of ls -lh /var/log

total 59G
-rw-r--r--  1 root              root            6.2K Mar 21 08:13 alternatives.log
-rw-r--r--  1 root              root            8.3K Feb 23 19:46 alternatives.log.1
-rw-r-----  1 root              adm             1.3K Mar 23 09:47 apport.log
-rw-r-----  1 root              adm             5.0K Mar 22 21:52 apport.log.1
-rw-r-----  1 root              adm              988 Mar 21 21:02 apport.log.2.gz

OS: Ubuntu Studio 20.04

Note:

After getting a notification that I am running low on space, I encountered an error while booting up that says overlayfs: missing 'lowerdir' which I suspect is a problem connected with my storage problem

and I already deleted my *.gz files

Thank you so much~!

SOLVED===

Taken from the suggestions and answers given, I uninstalled the snap version of Discord and replaced it with the *.deb from the main Discord Website

I then executed

cd /var/log
sudo su
> lastlog
> wtmp
> dpkg.log 
> kern.log
> syslog
exit

Taken from this thread Very large log files, what should I do?

And report from ls -alhS /var/log | more shows smaller sizes of logs and more /var/log/kern.log showed no repeating errors

Rei
  • 43
  • 1
  • 10
  • 4
    The simplest and least responsible answer would be "just delete the logs". However, when the log directory is getting big, it's because something is wrong. Which file(s) take up the bulk of the storage? Read those files to determine what errors are being reported, then work to solve those errors. Once the problems are solved, you can reset your /var/log directory so that it remains a manageable size going forward – matigo Mar 22 '22 at 03:46
  • is /var/log is on separate partition or its in root itself. – zabiullah Mar 22 '22 at 04:11
  • var/log/ is with /usr and /home, although I believe it is also at root – Rei Mar 22 '22 at 05:24
  • The biggest one is kern.log next is syslog.1 and syslog, and I don't really understand much of what they are reporting – Rei Mar 22 '22 at 05:27
  • 1
    The logs grow because there are one or more error in your system. Identify and fix the error(s) and the logs will stop growing large. Maybe update your question with examples on logged errors. so someone can suggest fixes. – Soren A Mar 22 '22 at 06:16
  • 2
    Open a terminal and type tail -f /var/log/syslog. Watch the messages displayed on the terminal for a while. Look for repeating messages. [Edit] your question and paste some of the repeating messages. (Please, no more than ten or so lines!) – FedKad Mar 22 '22 at 07:03
  • Hi there, I have updated my original question, thank you very much. – Rei Mar 22 '22 at 15:02
  • @Rei Status please... – heynnema Mar 25 '22 at 12:42
  • Yes hello, got caught up with some stuff, sorry for the delay, I followed another answer from a similar question and I have now solved it, Thanks everyone for the help <33 – Rei Mar 27 '22 at 14:44
  • @Rei Just deleting those large log files won't fix the problem. – heynnema Mar 27 '22 at 14:58
  • Ohh, sure, I'll test the /var/log/kern.log now, thank you – Rei Mar 27 '22 at 15:01
  • @Rei Did you review Update #1 in my answer? You have to look at the log files to determine what's causing them to grow so large. Normally you'll see a repeating error message, like the one that you posted from syslog. Your original kern.log was also huge, but you've deleted it, so any evidence is gone... until the error continues. Did you change the Discord app? – heynnema Mar 27 '22 at 15:07
  • Yes I have and fortunately, there are no repeating errors reported by more /var/log/kern.log – Rei Mar 27 '22 at 15:08
  • @Rei Did you change the Discord app? Did you recheck syslog? – heynnema Mar 27 '22 at 15:09
  • Yes I did change the Discord snap to the *.deb variant, ls -alhS /var/log | more shows the logs are significantly smaller with the highest being 43M which is syslog. – Rei Mar 27 '22 at 15:13
  • @Rei Since you took the advice from my answer, please consider accepting my answer by clicking on the checkmark icon that appears just to the left of my answer. Thanks! – heynnema Mar 27 '22 at 15:14
  • Sure thing, and as always thank you for your help! – Rei Mar 27 '22 at 15:15
  • Votre to reopen as https://askubuntu.com/questions/515146/very-large-log-files-what-should-i-do is very different, and foremost for an older version of Ubuntu – Hannu Dec 08 '22 at 17:14

2 Answers2

4
$ sudo du -h /var/log/ | sort
...
$ journalctl --vacuum-time=10d

The first will tell you the approximate sizes of the subfolders of /var/log

The second will clean up the .../journal/ folder (keeping ten days worth of logs), which seems to be the most voluminous, locally here.

The journalctl is what I do in conjunction with (almost daily) updates.

To see the bytecount sizes of LARGEST files in e.g. /var/log/ you can do:
$ find /var/log/ -type f -printf "%-16s %p\n" | sort -n

Add ... | tail -n 20 to limit it to the 20 largest.

Hannu
  • 5,374
  • 1
  • 23
  • 40
2

re: overlayfs: missing 'lowerdir'

Let's first check your file system...

  • boot to a Ubuntu Live DVD/USB in “Try Ubuntu” mode
  • open a terminal window by pressing Ctrl+Alt+T
  • type sudo fdisk -l
  • identify the /dev/sdXX device name for your "Linux Filesystem"
  • type sudo fsck -f /dev/sdXX, replacing sdXX with the number you found earlier
  • repeat the fsck command if there were errors
  • type reboot

Update #1:

/var/log/syslog is showing that the snap version of the nasty Discord program is acting up. /var/log/kern.log may show the same.

The snap version of Discord tries to work outside of its sandbox, and spams syslog and auth.log. Suggest removing the snap version sudo snap remove discord, and installing the APT/DEB version... https://discord.com/download. Otherwise you'll need to allow Discord privs that are normally not granted to shut it up.

If you show me the first 5 lines of output of ls -alhS /var/log | more I suspect that syslog and auth.log are probably very large. After removing the snap version of Discord, and installing the APT/DEB version of Discord, you can delete these large log files with:

sudo rm -i /var/log/syslog*

sudo rm -i /var/log/auth.log*

sudo rm -i /var/log/kern.log*

heynnema
  • 70,711
  • Hi there, this really helped to clear some storage but my /var/log is still 67GB, is it really that big? – Rei Mar 23 '22 at 01:51
  • @Rei Edit your question and show me the first 5 lines of output of ls -alhS /var/log | more. See Update #1 in my answer. – heynnema Mar 23 '22 at 12:36
  • @Rei Your /var/log/kern.log is large. Do more /var/log/kern.log and look for similar repeating messages... they might be from Discord... or something else... but we need to find out... before we delete the file. Report back. – heynnema Mar 23 '22 at 19:53