Resolving overflows in the /var file system
Check the following when the /var file system has become full.
- You can use the find command to look for large files in the /var directory.
For example:
find /var -xdev -size +2048 -ls| sort -r +6
For detailed information, see the command description for the find command.
- Check for obsolete or leftover files in /var/tmp.
- Check the size of the /var/adm/wtmp file, which
logs all logins, rlogins and telnet sessions. The log will grow indefinitely
unless system accounting is running. System accounting clears it out nightly.
The /var/adm/wtmp file can be cleared out or edited
to remove old and unwanted information. To clear it, use the following command:
cp /dev/null /var/adm/wtmp
To edit the /var/adm/wtmp file, first copy the file temporarily with the following command:/usr/sbin/acct/fwtmp < /var/adm/wtmp >/tmp/out
Edit the /tmp/out file to remove unwanted entries then replace the original file with the following command:/usr/sbin/acct/fwtmp -ic < /tmp/out > /var/adm/wtmp
- Clear the error log in the /var/adm/ras directory
using the following procedure. The error log is never cleared unless it is
manually cleared. Note: Never use the cp /dev/null command to clear the error log. A zero-length errlog file disables the error logging functions of the operating system and must be replaced from a backup.
- Stop the error daemon using the following command:
/usr/lib/errstop
- Remove or move to a different filesystem the error log file by using one
of the following commands:
rm /var/adm/ras/errlog
ormv /var/adm/ras/errlog filename
Where filename is the name of the moved errlog file.
Note: The historical error data is deleted if you remove the error log file. - Restart the error daemon using the following command:
/usr/lib/errdemon
Note: Consider limiting the errlog by running the following entries in cron:0 11 * * * /usr/bin/errclear -d S,O 30 0 12 * * * /usr/bin/errclear -d H 90
- Stop the error daemon using the following command:
- Check whether the trcfile file in this directory
is large. If it is large and a trace is not currently being run, you can remove
the file using the following command:
rm /var/adm/ras/trcfile
- If your dump device is set to hd6 (which is the default), there might be a number of vmcore* files in the /var/adm/ras directory. If their file dates are old or you do not want to retain them, you can remove them with the rm command.
- Check the /var/spool directory, which contains the
queueing subsystem files. Clear the queueing subsystem using the following
commands:
stopsrc -s qdaemon rm /var/spool/lpd/qdir/* rm /var/spool/lpd/stat/* rm /var/spool/qdaemon/* startsrc -s qdaemon
- Check the /var/adm/acct directory, which contains accounting records. If accounting is running, this directory may contain several large files.
- Check the /var/preserve directory for terminated vi sessions. Generally, it is safe to remove these files. If a user wants to recover a session, you can use the vi -r command to list all recoverable sessions. To recover a specific session, usevi -r filename.
- Modify the /var/adm/sulog file, which records the
number of attempted uses of the su command and whether
each was successful. This is a flat file and can be viewed and modified with
a favorite editor. If it is removed, it will be recreated by the next attempted su command.
Modify the /var/tmp/snmpd.log, which records events from
the snmpd daemon. If the file is removed it will be recreated
by the snmpd daemon. Note: The size of the /var/tmp/snmpd.log file can be limited so that it does not grow indefinitely. Edit the /etc/snmpd.conf file to change the number (in bytes) in the appropriate section for size.