.journal files belong to systemd-journald, an alternative for the traditional "syslog", so they mostly contain various service messages, and the same rules apply:
The main log file is archived (i.e. "rotated") every 𝒏 days / every 𝒏 megabytes, so system.journal
1 contains the latest messages (similar to /var/log/syslog
), while the various system@*.journal
files are the log archives (similar to /var/log/syslog.1,2,3,…
and so on).
If you know that you do not need old log messages, it is safe to delete the archived journals (all the /var/log/journal/*/*@*
files). You can even configure automatic cleanup in /etc/systemd/journald.conf
, for example, expire all logs older than 3 months using MaxRetentionSec=3months
.
As with syslog, it is not recommended to delete the "current" system.journal
file, as the journal service still has it open, so the data will actually remain on disk until next reboot. (However recent journald versions detect this and work properly anyway.)
That said, perhaps you should take a look at those logs (using journalctl -b
and various other options), in case something abnormal is happening. If you see huge numbers of SSH login attempts, fail2ban might be useful.
1 On some distros, syslog messages generated by your own programs are separated into user-*
journals rather than the system one, for access control purposes. (For example, user 1000 can read messages from user-1000.journal
but not necessarily system.journal
.) Rotation and everything else remain the same.
2 You can trigger log rotation using systemctl kill -s SIGUSR2 systemd-journald
.