Originally Posted by
titaniuman
Try to check logrotate configuration. Logrotate is a utility that manages log files and rotates them periodically. Check if the logrotate configuration for system logs is correct. You can do this by looking at the /etc/logrotate.d/rsyslog file. Make sure that it is configured to rotate system logs daily or weekly.
For the last 20+ yrs, I've not seen a default system install have any logrotate issues. I suppose it could happen, but the only times I've seen it is when someone created their own network dæmon with startup/status/stop controls (or a systemd unit file) and forgot to clean their own log files.
Systemd (as controlled by journalctl) is where all system logs are stored. The text that gets outputted for dmesg and syslog come from the systemd journal. Now, that journal is controlled by /etc/systemd/journald.conf which has settings to control max sizes and forced deletions. I have a short cheatsheet of commands:
Code:
journalctl -xe # See errors for last service, with eXtra information
journalctl -b # See current boot logs
journalctl -b -1 # See prior boot log
journalctl -b -3 # See 3 boot logs ago
sudo journalctl -k # See current kernel logs
journalctl --since=today
journalctl -S today # See logs for today, from midnight, yesterday/tomorrow
journalctl -xe -S today # See errors for today, from midnight today
sudo journalctl -S -1h # See logs for last 1 hour m/w == minutes/weeks
sudo journalctl _PID=751 # find logs for a specific PID
sudo journalctl _UID=1000 # find logs for a specific user
sudo journalctl /usr/bin/anacron # logs for a specific executable
journalctl -u nfs-kernel-server.service
journalctl -u nfs-server.service -S -2h
journalctl -p 0 # emergency
1 # alert
2 # critical
3 # error
4 # warning
5 # notice
6 # info
7 # debug
journalctl --disk-usage # See log file disk use
sudo journalctl --vacuum-size=200M # Drop log file size to 200M, if possible.
sudo journalctl --vacuum-time=10d # Drop logs, over 10 days old
Anyway, hope this is helpful to someone. If /var is full, use the vacuum command ASAP. 200M should be at least 3-7 days of logs, so it is unlikely to remove anything important for a recent issue.