Clearing systemd journal logs

The systemd journal is systemd’s own logging system. It is equivalent to the syslog in the init system. It collects and stored kernel logging data, system log messages, standard output and error for various systemd services.

A Linux machine with systemd writes the logs to /var/log/journal directory. If you remember the Linux directory structure, /var is where the system logs are stored.

You can either manually view the log files using less command or use the journalctl command. To view all the latest logs, use the command with reverse option.

journalctl -r

The thing with logging is that over the time, it starts to grow big. And if you check the disk space in Linux, you’ll see that sometimes, it takes several GB of space.

First check the space taken by journal logs with the du command:

du -sh /var/log/journal/

You can also use the journalctl command for the same task:

journalctl --disk-usage

Both of the command should give approximately the same result:

abhishek@linuxhandbook:~$ journalctl --disk-usage
Archived and active journals take up 1.6G in the file system.

abhishek@linuxhandbook:~$ sudo du -sh /var/log/journal/
1.7G	/var/log/journal/

Now that you know how much space the journal logs take, you can decide if you want to clear the logs or not. If you decide to clear the journal logs, let me show you a couple of ways of doing it.

You can of course use the rm command to delete the files in the log folder but I won’t advise that. The journalctl command gives you the proper way of handling old logs.

First thing you should do is to rotate journal files. This will mark the currently active journal logs as archive and create fresh new logs. It’s optional but a good practice to do so.

sudo journalctl --rotate

Now you have three ways to clear old journal logs. You delete logs older than a certain time or you delete older log files so that total log size is limited to the predefined disk space or you limit number of log files. Let’s see how to use all three methods.

1. Clear journal log older than x days

Keep in mind that logs are important for auditing purpose so you should not delete all of them at the same time. Let’s say you want to keep the log history of just two days. To delete all entries older than two days, use this command:

sudo journalctl --vacuum-time=2d

Here’s what the output may look like:

Vacuuming done, freed 1.6G of archived journals from /var/log/journal/1b9ab93094fa4978beba80fd3c48a18c

You can also change the provide time frame in hours like 2h, in minutes like 2m, in seconds like 2s. If you want bigger time units, you can 2weeks, 2months as well.

2. Restrict logs to a certain size

Another way is to restrict the log size. With this, it will delete the journal log files until the disk space taken by journal logs falls below the size you specified.

sudo journalctl --vacuum-size=100M

This will reduce the log size to around 100 MB.

Vacuuming done, freed 40.0M of archived journals from /var/log/journal/1b9ab93094fa4978beba80fd3c48a18c.

You can specify the size in GB with G, MB with M, KB with K etc.

3. Restrict number of log files

The third way is to limit the number of log files. The journalctl usually has log files for the system and for the users. As the logs get old they are archived in various files.

You can limit the number of archive log files. Let’s say you want to have only five log files.

journalctl --vacuum-files=5

It will remove the older archive log files leaving only the specified number of log files.

Deleted archived journal /var/log/journal/1b9ab93094fa4978beba80fd3c48a18c/system@d9fbc18533be4cb69483adf2a61505ac-00000000001e0bba-00059745988c0982.journal (8.0M).
Deleted archived journal /var/log/journal/1b9ab93094fa4978beba80fd3c48a18c/user-1000@f571e91e5c6748a8a74666a448df78dd-00000000001e21d4-00059747a2ebd5a3.journal (48.0M).
Deleted archived journal /var/log/journal/1b9ab93094fa4978beba80fd3c48a18c/system@d9fbc18533be4cb69483adf2a61505ac-00000000001e2414-00059747a32024d0.journal (48.0M).
Vacuuming done, freed 104.0M of archived journals from /var/log/journal/1b9ab93