π Introduction#
Logs are one of the most important tools for debugging, auditing, and monitoring Linux systems.
But without proper log management, your server can quickly run into problems:
- disks filling up
- slow journal queries
- missing historic logs
- bloated
/var/log/directories - performance issues
In this guide, you’ll learn how to efficiently manage logs using journalctl, systemd-journald, logrotate, and important best practices for production servers.
π 1. Understanding journald & journalctl#
Most modern Linux distributions use systemd-journald for log collection.
View logs (basic)#
journalctl
Follow logs live#
journalctl -f
Show logs for a specific service#
journalctl -u sshd
journalctl -u nginx
journalctl -u docker
Show logs since boot#
journalctl -b
Show logs for the last hour#
journalctl --since "1 hour ago"
πΎ 2. Enable Persistent Logging#
By default, some distros log only to memory (volatile).
To enable persistent logs:
sudo mkdir -p /var/log/journal
sudo systemctl restart systemd-journald
Now journald writes logs to disk.
Check journald storage mode#
journalctl --disk-usage
π οΈ 3. Configure journald (Storage, Compression, Limits)#
Edit:
sudo nano /etc/systemd/journald.conf
Important options:
Storage=persistent
SystemMaxUse=500M
SystemKeepFree=1G
SystemMaxFileSize=50M
RuntimeMaxUse=200M
Compress=yes
Apply changes:
sudo systemctl restart systemd-journald
π 4. Vacuum (Cleanup) Old Logs#
Delete logs older than 7 days:
journalctl --vacuum-time=7d
Delete logs until usage < 200M:
journalctl --vacuum-size=200M
Delete oldest files until only recent 10 files remain:
journalctl --vacuum-files=10
π 5. Understanding logrotate#
Traditional logs (non-journald) live in:
/var/log/*.log
logrotate handles:
- rotation
- compression
- retention
- permissions
Example rotation config (Nginx)#
File:
/etc/logrotate.d/nginx
Content:
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
sharedscripts
postrotate
systemctl reload nginx
endscript
}
Run manually:
sudo logrotate -f /etc/logrotate.conf
Check status:
cat /var/lib/logrotate/status
π§ 6. Troubleshooting Common Log Problems#
Disk full because journald grew too large#
journalctl --disk-usage
journalctl --vacuum-size=200M
Logrotate not running?#
sudo systemctl status logrotate.timer
Logs missing after reboot?#
Check if persistent logging is enabled.
Service not logging?#
journalctl -u <service> -e
Check file permissions#
ls -la /var/log
π§° 7. Automating Log Cleanup (Example Script)#
Add this to your scripts repo:
#!/usr/bin/env bash
# cleanup-logs.sh β safe log cleanup
journalctl --vacuum-size=200M
journalctl --vacuum-time=14d
logrotate -f /etc/logrotate.conf
echo "Log cleanup completed."
β 8. Best Practices for Production#
- Enable persistent journald logs
- Set size limits to avoid disk explosions
- Rotate logs regularly
- Monitor
/var/log/usage - Donβt keep logs forever (privacy + disk usage)
- Use central logging for important systems (ELK, Loki, CloudWatch, etc.)
π― Conclusion#
Log management is essential for stable Linux systems.
With the right combination of journalctl, journald limits, and logrotate, you ensure your system stays clean, fast, and predictable β even under heavy load.
π Need Help Managing Linux Servers?#
Managing logs, storage, and system performance can be time-consuming.
TechZ (techz.at) helps companies:
- secure & maintain Linux servers
- optimize log retention
- prevent storage outages
- automate monitoring & maintenance
π Need expert help? Contact us anytime.