http://www.notesofasysadmin.com/linux/clearing-but-not-deleting-log-files/
Sometimes, as a Systems Administrator, or SysAdmin, there are times we need to clear out the log files, without actually deleting them. As a smart Sys Admin, you normally wouldn’t need to do this, but as I am currently involved in supporting customers and their Linux machines, I run into some pretty neat stuff (neat as in special). I’ve had a few issues where someone actually runs out of disk space on / (root filesystem) due to the /var/log directory being full.
First off, you might run the df command only to realize that, maybe, you have used 97% of the partition up, in this case / (root filesystem). More times than not, this is usually due to your /var/log directory. Make sure though, I’m presuming that you already know that your /var/log directory is full. To find out what is taking up the most space (you should already know why, and thus you are viewing this possibly because you are having issues with a full filesystem), you would need to run the df command.
The df command is a great way of seeing how much space is being used and/or remaining per partition (mount point, actually), but now we need to find out what files are taking up the most space, for reference. We are still going to wipe the whole /var/log directory, just for the fact that it does work and it can be a good life saver in knowing how to clear out your log files without deleting them. Back on topic, though, as we want to find out (for reference) what files are taking up the majority of the space, we will need to use the du command. The du command stands for Disk Usage and it can be very useful in telling us exactly what files are taking up the most space, and where they are located. So, by now, you already know that your /var/log directory is practically full, and now you want to find what files are taking up all that space. We shall run the following command:
[root@server ]# du /var/log/* -s | sort -rn | head |
As you can already tell, this is not just the du command. We are using three programs (all of which are on a default install of Linux): du, sort, and head. I’ll explain the command. First, we run du /var/log/* -s, which initiates the du command and searches everything in /var/log and each argument is then summarize (-s). Then the output of the du command becomes the input of the sort command. Using sort, we reverse the output (-r) and numerically sort it (-n). From there, we then take the output from the sort command and then that becomes the input for the head command. Remember how we reversed the sort order? That’s where the head command comes in handy. When we reversed the output, by sorting in reverse order, the large files that du found would have been at the bottom, but because we reversed the output, they are now going to be at the top. If you need more results, just add a -n to the head command (e.g.: head -30) which would show the top 30 biggest files (if using with the whole du, sort, head command above).
Once you have the output, that’s where you could clear out those particular log files. You can do that with the cat command. You would “cat” /dev/null (nothing) and redirect the value (again, nothing) to that particular log file, in which, it would overwrite the log file with nothing, so your log file has theoretically been cleared, but you did not delete it.
An example of just clearing a single log file with the cat command, would be as follows:
cat /dev/null > /var/log/btmp |
That’s it! Currently the /var/log/btmp file was 23MB (due to not changing the default SSH port; which is offtopic), and after running the previous command, the file is now 0 bytes. Now, what if there was alot of files in the /var/log directory, and you needed to just clear all the log files out of the system? With a little work, you can. Before I actually show you how to do this, you’re probably wondering: “Why not just delete the log files?”. Good question, cause I used to have the same question. Your /var/log directory holds a good amount of the log files for every daemon that is running on your system. Just a side note, /var/log is what most daemons use for their log files, but you should check the daemon (if you want), as it might have a custom place for writing its own logs. Okay, to answer the main question, you should not just go deleting log files, because certain daemons that are currently running are using these log files and can either crash (sometimes) certain daemons and/or cause them to fail to start back up, even on a reboot. Sometimes you would have to manually re-create the certain log file the system cannot find (usually using the touch command. Now, I’ve gone through doing the hard part (figuring out how to do it), and you just have to run the command. Here’s the command (will explain):
find /var/log/ -name '*.*' -not ( -type d ) -print0 | xargs -0i sh -c "cat /dev/null > "{}""
|
I know, I know. Like I said, I’ll explain. Yes, that is two double quotes at the end. Put this in exactly as shown; I have not tested what will happen if this is not put in exactly, so if it decides to remove any data you didn’t want it to, I’m not liable. Alright, now for the explaination. The find command is executed with options to look into the directory /var/log and find all files (wild carded for any file it comes across), but it will exclude any directories that it finds and will search within them and clear out the files in there. The reason we want this is because if we did not tell it to “match” the directories, it would error out and would not complete the clearing out of the files. The find command then prints out and becomes the input of the xargs program and states that as long as the file is not equal to 0 (empty file) to execute the cat /dev/null and redirect the output of /dev/null (which is nothing) to all files it comes across. This in turn will wipe out all the files’ contents within the /var/log directory, but will keep the files there.
I just want to say, this is not the best solution for log file administration, but it can definitely get you out of a bind if log file administration isn’t extremely important (if its a personal server, or if it is low profile and isn’t High Availability, etc). I would definitely look for an alternative way to administer your log files (I use logrotate), but again, in this case, you should be able to use this solution just fine. If you run into any issues or just have some questions, please don’t hesitate to post them so we can all discuss.
