problem hub
Read-only firstJournal logs too large on Linux
Measure systemd journal usage and retention before vacuuming logs or deleting journal directories.
Safest first command
journalctl --disk-usage
Before you run this
Expected output: A human-readable total for archived and active journal files.
When not to use it: Do not vacuum or delete logs before capturing incident evidence, retention requirements, and whether the logs are still needed for security or compliance review.
Expected output example
Archived and active journals take up 3.4G in the file system.
How to read the result
The number is total journal storage, not necessarily reclaimable space. Decide whether the pressure is journal-specific or part of broader /var disk pressure.
What to check next
Journal usage is large and /var is full
Means: Journal retention may be one contributor to disk pressure.
Next step: Compare journal size with /var and other hot directories before vacuuming.
Recent incident is still under investigation
Means: Vacuuming may remove evidence needed for diagnosis.
Next step: Export or capture relevant logs before retention changes.
Journal usage keeps growing quickly
Means: A noisy service may be flooding logs.
Next step: Find warning/error-heavy units before changing retention.
Journal log decision tree
Start by measuring journal usage, then compare it to the full filesystem and current incident timeline. systemd journal vacuum commands do not provide a reliable dry-run preview on all systems, so capture evidence first.
journalctl --disk-usagedu -sh /var/log/journal 2>/dev/nulldu -xhd1 /var/log 2>/dev/null | sort -h
Cleanup only after evidence is captured
This deletes journal data. Capture incident evidence, confirm retention needs, and compare journal usage with the rest of /var before running a vacuum command. If your journalctl version does not support a dry-run style preview, treat vacuuming as a real deletion.
journalctl --disk-usagejournalctl -p err..alert --since "2 hours ago" --no-pagerjournalctl --vacuum-time=7d
Bad fixes to avoid
Do not delete /var/log/journal manually. Do not vacuum logs before capturing incident evidence. Do not use journal cleanup as a substitute for fixing a service that is flooding logs.
Common causes
- Verbose failing service
- Long retention with persistent journal
- Small /var filesystem
- Container or host log burst
- Old incidents never vacuumed
What not to change yet
- Do not delete journal directories manually.
- Do not vacuum before collecting current incident logs.
- Do not ignore the service producing the log volume.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
platform notes
Distro and service notes
systemd
Vacuuming deletes journal data; retention settings belong in journald configuration.
Storage
Use the disk-full hub if /var has multiple large contributors.
supporting commands
Command path
Guides and drills
- Disk Full on Linux: First Response Without Guessing
- Disk Is Full: Prove Which Filesystem Is Out
- Linux disk full hub Use when journal growth is one part of broader filesystem pressure.
- systemd service failed Use when one unit is flooding logs because it is failing repeatedly.