/var system full--What to clean? 1

[c4sob]

Hello,
Every so often (every few months) I get the message that my /var system is full.
Can somone tell me which files are safe to clear (zero) out.

I have cleared some files that I read were safe to clear but am still showing 100% used.

Thanks,
Charlie

 

[unixfan]

Try deleting /var/log/messages.x these are the system log messages, and they can grow real big. If you can delete the old ones and retains the new ones, it can save you some space.
you can do (as root)
#cp /dev/null messages.4
#cp /dev/null messages.5
.
.
..
Hope this helps

 

[1sexypapi]

I agree with the above other than the path to those files the messages files are in /var/adm/ and range from messages, messages.0 - messages.3 a cron job rotates these logs for you weekly messages being the current week of systems logs you can do a
#du /var

to find out which files and directories under var are taking up all of your space as sometimes other app logs are there as well

 

[bigscouse]

Also check /var/mail you may have large mail files.
If /var/mail files are large take a loot at them, it will probably be output from cronjobs. You may wish to divert these messages to files in another partition (say > /logs/cron.out 2>&1 ) or to /dev/null ( > /dev/null 2>&1).

Output from du can sometimes be quite large, you may wish to filter it like this: -
cd /var
du -a|awk '$1 > 50000 {print $0}'

Also check /var/tmp


Ged Jones

Top man

 

[CrashRadtke]

it's also a good idea to re-start processes that were writing to files in that location. Files that were being used can make the directory/mount point appear full with df -k and continue to dump to the syslog to that effect.
utmpx and wtmpx are also good candidates for large (useless) files sizes, so you can remove them.

 

[dawookie]

A couple of points and pointers.

You may want to use

find /var -xdev -size +5000 -ls

to create a list of files that are larger than ~10M and print some information about them.

/var/adm/utmp, /var/adm/utmpx, /var/adm/wtmp, and /var/adm/wtmpx can usually be over written; however, you will lose user access logging information. It is possible to save some data (ie the last 10 logins) but it requires some coding in recent releases of Solaris.

At work we use a log rotation script that rotates daily. It saves the old logs in a directory named for the year and month and then compresses them.

Never rm log files, instead overwrite them using something like
[/code]date > $LOGFILE[/code]
or
[/code]cat /dev/null > $LOGFILE[/code]
This allows the space to be recovered if the file is held open by a process.

man(1) is your friend.

Cheers

 

[jumpstart]

You might want to think about editing your /etc/syslog.conf file so that you can administer your logfiles a little tidier.

Most hackers enjoy the fact that the /var filesystem is full as no more log messages can be written, you may want to look at your passwords and give them an early rotation.