How to make room in /var/log partition

Question

Tracking ubuntu 14.04.3 firewall info I enabled ufw full login for a while (now turned back off). Now I'm warned I run out of space in the /var partition. Looking there in I find 3 huge files: kern.log, syslog and ufw.log, each 1.2GB. How do I force some existing routine (if there is one) to anticipate the scheduled job of cleaning/compressing/or-whatever the logs?

Thank you

score 2 · Answer 1 · edited May 23 '17 at 12:39

2

Take a look @ logrotate package, you can see a tutorial on this page

you could either

Lower the level of logging of your firewall: modify the LOGLEVEL directive into the /etc/ufw/ufw.conf file to one of 'off', 'low', 'medium', 'high' and sudo service ufw restart
reconfigure your firewall so that it logs in another part where you have more space
configure logrotate to rotate the logs more frequently instead of being into /etc/cron.daily/logrotate for example into /etc/cron.hourly/logrotate (see this post)
1. sudo ln -s /etc/cron.daily/logrotate /etc/cron.hourly/logrotate
2. Modify the /etc/logrotate.d/ufw file according to this post to manage the size of rotation and man logrotate for more configuration options. It could be that your file is not rotated because of file size which is not setted, by default the size directive is not setted into the /etc/logrotate.d/ufw file so it is only rotated weekly according to the configuration file directive. So changing it putting a size directive (for example size 300M) will do what you expect maybe. Please note: If the size directive is used, logrotate will ignore the daily, weekly, monthly, and yearly directives. If you want logrotate to consider both log size AND timestamp, the minsize directive should be used.
3. Run manually if you want the logrotate job to test it with sudo /etc/cron.daily/logrotate
4. Check the logrotate jobs into the /var/lib/logrotate/status file (see this post)
If you don't want ufw to log into your kern.log check this post

edited May 23 '17 at 12:39

Community

1

answered Jan 04 '16 at 12:18

Philippe Gachoud

5,800
3
41
50

Although it ran this morning: cat /var/lib/logrotate/status |grep ufw "/var/log/ufw.log" 2016-1-4-7:44:7 sudo logrotate -v /etc/logrotate.d/ufw reading config file /etc/logrotate.d/ufw Handling 1 logs rotating pattern: /var/log/ufw.log weekly (4 rotations) empty log files are not rotated, old logs are removed considering log /var/log/ufw.log error: skipping "/var/log/ufw.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation. – useful Jan 04 '16 at 13:09
and? did it do the trick? checkout this post: http://stackoverflow.com/questions/26482773/apache-and-logrotate-configuration and first answer example post your /etc/logrotate.d/ufw file in your question please – Philippe Gachoud Jan 04 '16 at 13:15
It failed manu now (although sudo) but this morning it worked auto ??? cat /var/lib/logrotate/status |grep ufw "/var/log/ufw.log" 2016-1-4-7:44:7 cat /etc/logrotate.d/ufw /var/log/ufw.log { rotate 4 weekly missingok notifempty compress delaycompress sharedscripts postrotate invoke-rc.d rsyslog reload >/dev/null 2>&1 || true endscript } how could it work this morning with no create directive? Or is it cron working as noboby or god? – useful Jan 04 '16 at 13:22
Did you try logrotate command as it is set into the cron job? try to run the /etc/cron.daily/logrotate shell script with `sudo /etc/cron.daily/logrotate` the environment which is calling a cron job may be different from the one you are in with your console... – Philippe Gachoud Jan 04 '16 at 13:46
This link https://linuxslut.net/logrotate-parent-directory-has-insecure-permissions/ in the stackoverflow thread seems very interesting but I can't understand anything, e.g. my /etc/logrotate.d/ufw has no create directive, so how could I add a su user group directive that match this non existent one... sudo /etc/cron.daily/logrotate enter echo $? enter returns 0 .... but all 3 files are still there as huge as before. Believing it could be long I checked with ps ax|grep logrot and ps ax|grep roller and process monitor but found nothing that helps. – useful Jan 04 '16 at 15:08
So, on my system I tried following: `sudo sh -c 'dd bs=1024 count=50000 /var/log/ufw.log' ` to fill ufw.log file artificially maybe you dont need it `sudo /etc/cron.daily/logrotate` to launch manually logrotate `less /var/lib/logrotate/status` to check what logrotate did `ls -l /var/log|grep ufw` to check what was the result of logrotate job that did the trick... so if you check what I completed into the above post with modifying the logrotate job from daily to hourly it could be your solution... what do you say? – Philippe Gachoud Jan 05 '16 at 08:10
Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/33853/discussion-between-philippe-gachoud-and-useful). – Philippe Gachoud Jan 05 '16 at 08:39
Hi Philippe. Thank you for helping. Checking the logrotate status after the /etc/cron.daily/logrotate command doesn't show any obvious error. More, it shows the command ran because I see one file is logged (pm.powersave.log) at the timestamp I ran the command. Cool. Whatever, as I said I moved ufw.log to make room immediately, and the night after syslog was compressed by the cron. Only kern.log remains huge although a reboot. I don't know how this one is managed. – useful Jan 06 '16 at 20:08
OK, I found kern.log is in /var/lib/logrotate/status too, on date 2016/01/04. A look at ls -l /var/log/ker* shows a roughly once a week spread of files... let's wait 4:6 days. Whatever I still don't know how to make room immediately without moving/deleting the files. Thank you Philippe. – useful Jan 07 '16 at 07:55
“2 thoughts on" @ https://linuxslut.net/logrotate-parent-directory-has-insecure-permissions/ may be related, but too hard to decide for a newb. – useful Jan 07 '16 at 08:01
1) for limiting the syslog files from ufw check this post: http://askubuntu.com/questions/452125/redirect-ufw-logs-to-own-file. By default syslog is rotated daily as mentioned into /etc/logrotate.d/rsyslog file, you can also change that according to what 's best for you 2) I dont understand what pm.powersave.log has to do with that. 3) did you modify your /etc/logrotate.d/ufw file as explained in the post? 4) if you dont need the logs, set the loglevel to off as explained in the post – Philippe Gachoud Jan 07 '16 at 09:00
5) you dont need to reboot a linux machine unless you dont need to load a new kernel!!! check the `service whatsoeveryouneedforservice restart` command! 6) see the continue this discussion in chat 3 comments above for not spamming this page with unuseful conversations – Philippe Gachoud Jan 07 '16 at 09:04

score 0 · Accepted Answer · answered Jan 04 '16 at 20:49

0

I just deleted the log and posted a bug : https://bugs.launchpad.net/ubuntu/+source/logrotate/+bug/1530904 For kern.log and syslog I hope the night will help.

answered Jan 04 '16 at 20:49

useful

1,764
4
24
31

-deleting- a currently active log can cause crashes. The correct way is to -empty- the log with `> /var/log/{logfile}`. Logs ending on digits or tar.gz feel free to delete. – Rinzwind Jan 04 '16 at 21:14
Rinzwind will say `sudo echo "" > /var/log/ufw.log` for you for emptying the log file... – Philippe Gachoud Jan 05 '16 at 07:50
Silly me, I should have had this idea. – useful Feb 11 '16 at 10:49

How to make room in /var/log partition

2 Answers2