Best Practices for Managing /var/log in Debian: Safe Deletion Commands and Folder Structure Considerations


2 views

The /var/log directory is a critical system location containing log files from various services and applications. On Debian systems, this includes:

  • System logs (syslog, auth.log)
  • Package manager logs (dpkg.log)
  • Service-specific logs (Apache, MySQL, etc.)
  • Kernel logs (kern.log)

Simply running rm -rf /var/log/* can cause several issues:

# DON'T do this - it may break logging functionality
sudo rm -rf /var/log/*

Many services expect certain files or directories to exist and may fail if they're missing. Some modern systems use systemd-journald which stores logs differently, but traditional log files are still widely used.

Instead of manual deletion, consider these approaches:

# 1. Use logrotate (installed by default on Debian)
sudo logrotate -f /etc/logrotate.conf

# 2. Clear log contents without deleting files
sudo truncate -s 0 /var/log/*.log

If you need to manually clean logs, here are safer rm alternatives:

# Delete only log files (not directories)
sudo find /var/log -type f -name "*.log" -exec rm -f {} \;

# Delete files older than 30 days
sudo find /var/log -type f -mtime +30 -exec rm -f {} \;

To maintain required directory structure while cleaning:

# This keeps directories but removes their contents
sudo find /var/log -mindepth 1 -exec rm -rf {} +

To determine your Debian version for more specific advice:

cat /etc/debian_version
lsb_release -a

On newer Debian versions with systemd:

# View logs
journalctl

# Clear logs (alternative to file deletion)
sudo journalctl --rotate
sudo journalctl --vacuum-time=1d
  • Some applications may need to be restarted after log deletion
  • Consider setting up proper logrotate configurations
  • Critical systems should have log aggregation in place
  • Always check disk space with df -h before and after

The /var/log directory contains crucial system logs in Debian. While you can remove log files, you should preserve the directory structure itself. Most system services and applications rely on these directories being present, even if they're empty.

Safe to remove:

- Old log files (e.g., syslog.1, auth.log.2.gz)

- Rotated logs (files with .gz or .1, .2 extensions)

- Temporary log files

Don't remove:

- The actual log directories (e.g., /var/log/apt, /var/log/apache2)

- Current log files actively being written to (usually without number suffixes)

- Special files like wtmp, btmp, lastlog

For safe log cleaning, these commands are commonly used:


# Remove all files but keep directories
sudo find /var/log -type f -delete

# Alternative with rm
sudo find /var/log -type f -exec rm -f {} \;

# Clean rotated logs only (safer)
sudo find /var/log -name "*.gz" -delete
sudo find /var/log -name "*.[0-9]" -delete

Instead of manual rm commands, consider these built-in tools:


# Use logrotate configuration
sudo logrotate -f /etc/logrotate.conf

# Clean with journalctl (for systemd)
sudo journalctl --vacuum-size=100M

# Install and use logrotate to handle automatic cleanup
sudo apt install logrotate

If you accidentally delete important logs or directories:


# Recreate essential log directories
sudo mkdir -p /var/log/{apt,apache2,nginx}

# Set correct permissions (Debian defaults)
sudo chmod 755 /var/log
sudo chown root:root /var/log

Remember that some applications may need to be restarted after log file removal:


# Common service restarts
sudo systemctl restart rsyslog
sudo systemctl restart apache2