Is it safe to remove “.journal” files in CentOS?

Question

First of all I’m a Linux noob, I just know the basics.

I have a VPS running a TeamSpeak 3 server, but I’m slowly running out of space as you can see here:

The TeamSpeak 3 server itself doesn’t make too much logs… I think that CentOS is creating them. So, I searched a little bit and I found this directory: /var/log/journal and a directory in it . There are these files in it:

The question is, can I safely just delete them? These are the files that are eating my space?

I found some people on the Internet telling that was perfectly safe and others saying that it isn’t safe.

Answer 1

The question is, can I safely just delete them? These are the files that are eating my space?

Those files are just log files. So you can toss them manually if you wish. But that would only be a temporary fix since those specific log files are being created with no limit set.

So if you are nervous about just tossing the files—and want a long term fix so you don’t have to worry about that anymore—then don’t do just toss the logs manually. Instead you should adjust the journald (Journal Daemon) log rotation configuration to direct it to prune the current stored logs and prevent this from happening again.

To do this, just edit the main journald config file:

/etc/systemd/journald.conf

And set the SystemMaxUse value; that 100M value is just my arbitrary example setting so adjust higher or lower based on what you think your logging needs would be:

SystemMaxUse=100M

Save the file and then check the amount of journald log disk usage like this:

sudo journalctl --disk-usage

After that, restart the systemd-journald.service like this so the new SystemMaxUse is in effect:

sudo systemctl restart systemd-journald.service

Then check the journald log disk usage after the service restarts like this:

sudo journalctl --disk-usage

Disk usage for those should now be lowered to whatever the value of SystemMaxUse is.

Answer 2

.journal files belong to systemd-journald, an alternative for the traditional "syslog", so they mostly contain various service messages, and the same rules apply:

The main log file is archived (i.e. "rotated") every 𝒏 days / every 𝒏 megabytes, so system.journal¹ contains the latest messages (similar to /var/log/syslog), while the various system@*.journal files are the log archives (similar to /var/log/syslog.1,2,3,… and so on).

If you know that you do not need old log messages, it is safe to delete the archived journals (all the /var/log/journal/*/*@* files). You can even configure automatic cleanup in /etc/systemd/journald.conf, for example, expire all logs older than 3 months using MaxRetentionSec=3months.

As with syslog, it is not recommended to delete the "current" system.journal file, as the journal service still has it open, so the data will actually remain on disk until next reboot. (However recent journald versions detect this and work properly anyway.)

That said, perhaps you should take a look at those logs (using journalctl -b and various other options), in case something abnormal is happening. If you see huge numbers of SSH login attempts, fail2ban might be useful.

---

¹ On some distros, syslog messages generated by your own programs are separated into user-* journals rather than the system one, for access control purposes. (For example, user 1000 can read messages from user-1000.journal but not necessarily system.journal.) Rotation and everything else remain the same.

² You can trigger log rotation using systemctl kill -s SIGUSR2 systemd-journald.