Resolving overflows in the /var file system

Check the following when the /var file system has become full.

  • You can use the find command to look for large files in the /var directory. For example:
    find /var -xdev -size  +2048 -ls| sort -r  +6

    For detailed information, see the command description for the find command.

  • Check for obsolete or leftover files in /var/tmp.
  • Check the size of the /var/adm/wtmp file, which logs all logins, rlogins and telnet sessions. The log will grow indefinitely unless system accounting is running. System accounting clears it out nightly. The /var/adm/wtmp file can be cleared out or edited to remove old and unwanted information. To clear it, use the following command:
    cp /dev/null  /var/adm/wtmp
    To edit the /var/adm/wtmp file, first copy the file temporarily with the following command:
    /usr/sbin/acct/fwtmp < /var/adm/wtmp >/tmp/out
    Edit the /tmp/out file to remove unwanted entries then replace the original file with the following command:
    /usr/sbin/acct/fwtmp -ic < /tmp/out > /var/adm/wtmp
  • Clear the error log in the /var/adm/ras directory using the following procedure. The error log is never cleared unless it is manually cleared.
    Note: Never use the cp /dev/null command to clear the error log. A zero-length errlog file disables the error logging functions of the operating system and must be replaced from a backup.
    1. Stop the error daemon using the following command:
    2. Remove or move to a different filesystem the error log file by using one of the following commands:
      rm /var/adm/ras/errlog
      mv /var/adm/ras/errlog filename

      Where filename is the name of the moved errlog file.

      Note: The historical error data is deleted if you remove the error log file.
    3. Restart the error daemon using the following command:
    Note: Consider limiting the errlog by running the following entries in cron:
    0 11 * * * /usr/bin/errclear -d S,O 30    
    0 12 * * * /usr/bin/errclear -d H 90
  • Check whether the trcfile file in this directory is large. If it is large and a trace is not currently being run, you can remove the file using the following command:
    rm /var/adm/ras/trcfile
  • If your dump device is set to hd6 (which is the default), there might be a number of vmcore* files in the /var/adm/ras directory. If their file dates are old or you do not want to retain them, you can remove them with the rm command.
  • Check the /var/spool directory, which contains the queueing subsystem files. Clear the queueing subsystem using the following commands:
    stopsrc -s qdaemon
    rm /var/spool/lpd/qdir/*
    rm /var/spool/lpd/stat/*
    rm /var/spool/qdaemon/*
    startsrc -s qdaemon
  • Check the /var/adm/acct directory, which contains accounting records. If accounting is running, this directory may contain several large files.
  • Check the /var/preserve directory for terminated vi sessions. Generally, it is safe to remove these files. If a user wants to recover a session, you can use the vi -r command to list all recoverable sessions. To recover a specific session, usevi -r filename.
  • Modify the /var/adm/sulog file, which records the number of attempted uses of the su command and whether each was successful. This is a flat file and can be viewed and modified with a favorite editor. If it is removed, it will be recreated by the next attempted su command. Modify the /var/tmp/snmpd.log, which records events from the snmpd daemon. If the file is removed it will be recreated by the snmpd daemon.
    Note: The size of the /var/tmp/snmpd.log file can be limited so that it does not grow indefinitely. Edit the /etc/snmpd.conf file to change the number (in bytes) in the appropriate section for size.