Can I delete journal on Linux?

preface
Operating system information:
# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)
# uname -r
3.10.0-862.11.6.el7.x86_ sixty-four
one
two
three
four
five
During the system space occupation troubleshooting, it was found that the journal directory under/var/log/occupied about 10G of space. Compared with the 40G/directory of my server system disk, the occupancy rate is very high.
I haven't paid much attention to the journal directory before. Now let's see if the files in the journal directory can be deleted.
What is the journal directory?
Journalctl is used to query the logs collected by the systemd journal service. The systemd journal service is a service provided by the systemd init system to collect system logs.
As long as you do not need logs for any debugging, you can delete all the contents in/var/log/journal/*, but do not delete the directory itself.
You should check/etc/systemd/journal Conf, there is a setting that can limit the amount of logs stored by the system (described below), so the old logs will be rotated. This setting is not perfect, because the damaged files obviously will not be included in this total (at least this was the case a few months ago, and it is uncertain whether it has been repaired now).
Query how much disk space journalctl consumes
$ journalctl --disk-usage
Journals take up 3.8G on disk.
one
two
three
Control journal directory size
You can use this parameter in/etc/systemd/journald.conf to control the size of this directory:
SystemMaxUse=50M
one
If you follow the above method, you may need to restart the logging service to force log rotation. You can restart the service like this:
$ sudo systemctl kill --kill-who=main --signal=SIGUSR2 systemd-journald.service
one
journald. Description of conf configuration file options
Open/etc/systemd/journald In the conf configuration file, we can see that the configuration parameters are below the [Journal] line (the default is # of all logouts):
Storage=
Indicates where to store log files. The following values can be selected:
(1) "Volatile" means only saved in memory, that is, only saved in the/run/log/journal directory (it will be automatically created on demand).
(2) "Persistent" means to save it on the disk preferentially, that is, in the/var/log/journal directory preferentially (it will be automatically created on demand). However, if it fails (for example, "/var" has not been mounted earlier in system startup), it will be saved in the/run/log/journal directory (it will be automatically created on demand).
(3) "Auto" (the default value) is similar to "persistent", but the/var/log/journal directory is not automatically created. Therefore, the location of logs can be determined according to the existence of the directory.
(4) "None" means that no logs will be saved (all collected logs will be discarded directly), but log forwarding (see below) will not be affected. The default value is "auto"
Compress=
The default value "yes" means: compress and store objects larger than a specific threshold.
Seal=
The default value "yes" means that if there is a "sealing Key" (created by the -- setup keys command of journalctl (1)), FSS (Seekable Sequential key Generators) protection will be enabled for all persistent log files to avoid malicious or unintentional modification of log files.
SplitMode=
Set whether to split the log files according to each user to achieve log access control (the log daemon will ensure that each user can read their own log files). The splitting strategies that can be used are as follows: "uid" means that each user has its own unique log file (regardless of whether the user has a login session or not), but the system user's log is still recorded in the system log.
This is the default value. "None" means that the log file is not split by different users, but all logs are recorded in the system log. This means that non privileged users cannot read their own log information at all. Note that only the persistent logs (/var/log/journal) are split, and the logs in memory (/run/log/journal) are never split.
RateLimitIntervalSec=, RateLimitBurst=
Used to limit the log generation speed (set to zero to indicate no limit). RateLimitIntervalSec=used to set the length of a time period. The default value is 30 seconds.
RateLimitBurst=used to set a positive integer, representing the number of messages. The default value is 1000. It indicates that within the time period of RateLimitIntervalSec=, each service is allowed to generate at most RateLimitBurst=number (number) of logs.
In the same time period, the logs that exceed the limit will be discarded and cannot be recorded again until the next time period. For all discarded log messages, only one message similar to "xxx messages are discarded" will be used instead. This limit is specific to each service. If one service exceeds the limit, the logging of another service will not be affected.
RateLimitIntervalSec=The following time units can be used: "ms", "s", "min", "h", "d"
SystemMaxUse=, SystemKeepFree=, SystemMaxFileSize=, SystemMaxFiles=, RuntimeMaxUse=, RuntimeKeepFree=, RuntimeMaxFileSize=, RuntimeMaxFiles=
Limit the maximum size of the log file. The options starting with "System" are used to limit the disk usage, that is, the usage of/var/log/journal.
Options starting with "Runtime" are used to limit memory usage, that is,/run/log/journal usage.
Options starting with "System" are meaningful only when the/var/log/journal directory exists and is writable.
But options starting with "Runtime" always make sense. In other words, when/var is not mounted early in system startup, or when the system administrator prohibits the storage of logs on disk, only the options starting with "Runtime" are meaningful.
The journalctl and system journal tools will ignore all files in the log directory whose suffix is not equal to ". journal" or ". journal~". In other words, there should be no files in the log directory whose suffix is not equal to ". journal" or ". journal~", because these files will never be cleaned up.
SystemMaxUse=and RuntimeMaxUse=limit the maximum space that can be occupied by all log files together. SystemKeepFree=and RuntimeKeepFree=indicate at least how much space is reserved for other purposes except for log files. Systemd journal will consider these two factors at the same time, and try to limit the total size of log files to meet these two limits.
The default value of SystemMaxUse=and RuntimeMaxUse=is the smaller of 10% space and 4G space; The default value of SystemKeepFree=and RuntimeKeepFree=is the larger of 15% space and 4G space; If the file system is about to fill up and has exceeded the limit of SystemKeepFree=or RuntimeKeepFree=when systemd journal starts, logging will be paused. That is, if the file system has enough free space when creating log files, but the file system is occupied too much by other non log files later, then systemd journal will only pause logging immediately, but will not delete existing log files.
SystemMaxFileSize=and RuntimeMaxFileSize=limit the maximum volume of a single log file. When this limit is reached, the log file will automatically scroll. The default value is 1/8 of the corresponding SystemMaxUse=and RuntimeMaxUse=values, which also means that 7 history files are reserved by default for log scrolling.

The log size can use K, M, G, T, P, E suffixes based on 1024, corresponding to 1024 and 1024 respectively ², …  Bytes.
SystemMaxFiles=and RuntimeMaxFiles=limit the maximum number of log files that can exist at the same time. If this limit is exceeded, the oldest log file will be deleted, while the current active log file will not be affected. The default value is 100.
MaxFileSec=
The time interval for log scrolling. It is usually unnecessary to use the time-based log rolling policy, because the file size based log rolling policy controlled by SystemMaxFileSize=and RuntimeMaxFileSize=can ensure that the log file size does not exceed the limit. The default value is one month. If it is set to zero, the time-based log rolling policy is disabled. You can use the "year", "month", "week", "day", "h", and "m" time suffixes. If you do not use the suffix, it means the unit is seconds.
MaxRetentionSec=
Maximum retention period for log files. When the last modification time of the log file exceeds this period, it will be deleted. The default value of zero means that the time-based log deletion policy is not used. It is usually unnecessary to use a time-based log deletion policy, because the file size based log rolling policy controlled by SystemMaxUse=and RuntimeMaxUse=can ensure that the log file size does not exceed the limit. You can use the "year", "month", "week", "day", "h", and "m" time suffixes. If you do not use the suffix, it means the unit is seconds.
SyncIntervalSec=
The time interval for flushing log files to disk. The default value is five minutes. After flushing, the log file will be in the OFFLINE state. Note that after receiving the CRIT, ALERT, and EMERG log messages, the log files will be written unconditionally. Therefore, this setting is only meaningful for ERR, WARNING, NOTICE, INFO, and DEBUG level log messages.
ForwardToSyslog=, ForwardToKMsg=, ForwardToConsole=, ForwardToWall=
ForwardToSyslog=indicates whether to forward the received log messages to the traditional syslog daemon. The default value is "no". If it is set to "yes", but no process listens to the corresponding socket, then this forwarding is meaningless. This option can be overridden by the kernel boot option "systemd. cournald. forward_to_syslog". ForwardToKMsg=indicates whether to forward the received log messages to the kernel log buffer (kmsg). The default value is "no". This option can be overridden by the kernel boot option "systemd. cournald. forward_to_kmsg". ForwardToConsole=indicates whether to forward the received log messages to the system console. The default value is "no". If it is set to "yes", the forwarding destination can be specified by TTYPath=below. This option can be overridden by the kernel boot option "systemd. cournald. forward_to_console". ForwardToWall=indicates whether to send the received log messages to all logged in users as warning messages. The default value is "yes". This option can be overridden by the kernel boot option "systemd. cournald. forward_to_wall".
MaxLevelStore=, MaxLevelSyslog=, MaxLevelKMsg=, MaxLevelConsole=, MaxLevelWall=
MaxLevelStore=Set the maximum log level recorded in the log file. The default value is "debug"; MaxLevelSyslog=Set the maximum log level forwarded to the traditional syslog daemon. The default value is "debug"; MaxLevelKMsg=Set the maximum log level forwarded to the kernel log buffer (kmsg). The default value is "notice"; MaxLevelConsole=Set the maximum log level forwarded to the system console. The default value is "info"; MaxLevelWall=Set the maximum log level sent to all logged in users as a warning message. The default value is "emerg"; These options can be either the name of the log level or the number corresponding to the log level: "emerg" (0), "alert" (1), "crit" (2), "err" (3), "warning" (4), "notice" (5), "info" (6), "debug" (7). All log messages higher than the set level will be discarded directly, and only log messages lower than or equal to the set level will be saved/forwarded. The above settings can be overridden by the following kernel boot options: "system d. tournald. max_level_store=", "system d. tournald. max_level_syslog=", "system d. tournald. max_level_kmsg=", "system d. tournald. max_level_console=", "system d. tournald. max_level_wall="
ReadKMsg=
Whether to collect kernel logs. The default value of yes indicates that log messages generated by the kernel are read from/dev/kmsg.
TTYPath=
Specify the console TTY used when ForwardToConsole=yes. The default value is/dev/console
LineMax=
The maximum allowable length (bytes) of each log record when converting a log stream to a log record. If the standard output (STDOUT)/standard error (STDERR) of the cell is connected to the log through the stream socket, the log stream will be cut into independent log records with the newline character (" n", ASCII 10) and NUL character (" 0", ASCII 0) as the separator. If no separator is encountered after the length set here is exceeded, a separator will be automatically inserted to forcibly truncate a single line of super long logs into multiple lines. The larger the value of this option, the larger the memory occupied by each log stream client log daemon (the maximum value is equal to the value of this option). In addition, too large a value of this option will also cause incompatibility with traditional log transmission protocols (too long logs cannot be encapsulated in a single AF_UNIX or AF_INET message). The value of this option is in bytes, and K, M, G, T suffixes can also be added to the end of the number (based on 1024). The default value of 48K is large enough to be compatible with traditional log transport protocols. Note that it cannot be set to a value less than 79 (it will be automatically raised to 79).
Log forwarding
There are two different log forwarding methods:
(1) Through the socket file (/run/systemd/journal/syslog), the collected log messages can be immediately forwarded to the socket listener process (traditional syslog daemon). This method is controlled by the ForwardToSyslog=instruction.
(2) The log receiving process runs as a client, just as journalctl (1) reads log files. Therefore, this method is invalid when Storage=none. This method cannot read log messages in real time, but can read previously saved log messages (for example, read log messages earlier in system startup after system startup is completed). This method can also read the complete log metadata. Generally, this method cannot read the latest log messages, and can only read log messages that have been recorded on the file system.
be careful ⚠️： The syslog daemon usually uses this method (rather than the previous method), so the Storage=option (rather than the ForwardToSyslog=option) should not be set to "none".