603

I couldn't find in google any safe way to clear systemd journal. Do anyone know any safe and reliable way to do so?

Let's say I was experimenting with something and my logs got cluttered with various error messages. Moreover I'm displaying my journal on my desktop by using Conky. I really don't want to see those errors as they remind me an awful day I was fixing this stuff, I want to feel like a fresh man after this horror. I think everyone will agree that this is a valid reason to clear the logs :P .

sourcejedi
  • 50,249
Łukasz Zaroda
  • 6,593
  • 7
    This is the top search result when looking for a way to clear journal entries. However, none of the answers below actually answer the question, because they either delete old logs or all logs. None of them are about clearing recent or specific logs. I posted a guide for deleting specific log entries at https://unix.stackexchange.com/questions/272662/how-do-i-clear-journalctl-entries-for-a-specific-unit-only/616732#616732 – Rob W Oct 27 '20 at 23:00
  • 1
    I got the best result with journalctl --flush --rotate --vacuum-time=1s and journalctl --user --flush --rotate --vacuum-time=1s. – accdias Apr 22 '23 at 14:36
  • 1
    @Rob, no. The question asks to clear logs, not delete specific ones. Though you input might be valuable for some too. – Alex Martian Jan 14 '24 at 10:35

16 Answers16

837

The self maintenance method is to vacuum the logs by size or time.

Retain only the past two days:

journalctl --vacuum-time=2d

Retain only the past 500 MB:

journalctl --vacuum-size=500M

man journalctl for more information.

Cristian Ciupitu
  • 2,510
Michael
  • 8,402
  • 17
    Nice command, but didn't work for me on openSUSE 13.2 (the current stable release). It's known that Arch is usually at the cutting edge when it comes to kernel and userland programs, so I speculated that vacuum options might have been recently added to systemd and simply haven't precipitated down into my distro. Confirmed the fact here in Lennart's announcement on Dec 10 2014 http://techupdates.com/go/1002774 that this command was added in systemd v218. Just adding this comment incase any one else like me who is not on Arch has a similar issue. Upvoted anyway. – Joshua Huber Apr 23 '15 at 00:33
  • I just used 'journalctl --vacuum-time=1d' to fix a situation where new log messages weren't showing with 'journalctl -f'. Apparently my system time had temporarily jumped about a day forward for a while, then recovered, and journalctl was using the log event timestamps from that future time as the journal tail. – user5071535 Nov 16 '15 at 18:23
  • 11
    Didn't work in version "systemd 229" on Ubuntu 16.04. journalctl --vacuum-size=1K then journalctl still shows way more than 1K. It shows all the messages since the last boot. – Dan Dascalescu Sep 10 '16 at 04:23
  • -1 Did not work on Fedora 25, systemd 231. Command used: sudo journalctl --vacuum-time=1s && sudo journalctl --vacuum-size=1K && sudo systemctl restart systemd-journald && journalctl -u systemd-resolved – Piotr Dobrogost Jan 03 '17 at 14:33
  • 55
    It seems that this only clears archived logs, not active ones. I tried running journalctl --flush --rotate before journalctl --vacuum-time=1s and it removed more stuff, although still not everything. – user60039 Feb 07 '17 at 19:42
  • 4
    The documentation doesn't seem so clear to me. Does it always stay set to 2d (in your example)? Or is 2d from the time you run the command? Maybe I'm not understanding how this works exactly. – jersey bean Aug 03 '17 at 01:49
  • 1
    journalctl: unrecognized option '--rotate' – stiv Oct 07 '18 at 12:24
  • 2
    Careful though, I used sudo journalctl --vacuum-time=7d and was only left with logs from today... Seems like a buggy feature – aardbol Apr 15 '19 at 19:57
  • gotta use sudo, so put a # in front puhlease – Alexander Mills Mar 30 '20 at 21:59
  • 6
    @AlexanderMills Hi Alexander. If someone knows that "#" means "as root", they certainly know that system management tasks always require special privileges. Also, depending on your setup you don't necessarily have to use sudo, e. g. you can work as root. Also it really hinders you from copy pasting commands directly to terminal, especially if they're multi-line. This also applies to lines beginning with "$", of course. It was never neither useful, nor esthetic. And since there are code blocks, you don't even have a problem to recognise things as commands. – bot47 Jan 27 '21 at 08:33
  • I got the best result with journalctl --flush --rotate --vacuum-time=1s and journalctl --user --flush --rotate --vacuum-time=1s. – accdias Apr 22 '23 at 14:37
  • On Linux Mint based system I had to additionally sudo systemctl stop systemd-journal*, sudo find /run/log -name system.journal -exec dd if=/dev/null of={} count=0 bs=1 \;. Then sudo systemctl start systemd-journal.service – Alex Martian Jan 14 '24 at 10:38
223

You don't typically clear the journal yourself. That is managed by systemd itself and old logs are rotated out as new data comes in. The correct thing to do would be to schedule journald to only keep as much data as you are interested in. The most usual thing to adjust is the total disk space it is allowed to take up. Once it crosses this boundry it will start pitching old entries to stay near this value.

You can set this in /etc/systemd/journald.conf like so:

SystemMaxUse=100M

This will be enforced on the next reboot or restart of the journald service:

$ systemctl restart systemd-journald
Caleb
  • 70,105
  • 28
    Ok, but there are also untypical situations. I know that most of them is just aesthetics as a reason, but aesthetics is a valid reason for human being ;) . – Łukasz Zaroda Jun 27 '14 at 12:08
  • 4
    @ŁukaszZaroda In that case you are going to have to define "safe". Normally "I want to blow away something that a daemon is configured to keep" is incompatible with "safe". If you want to force it just shut down the service and zero out the log files. If you want it to work normally you should define the parameters in your question better. What do you mean by "safe"? – Caleb Jun 27 '14 at 12:17
  • 1
    By safe, I mean that after clearing it will work as usual, just starting from the new place. – Łukasz Zaroda Jun 27 '14 at 12:19
  • 5
    It may be not typical situation but sometimes it is necessary to delete old logs due to some systemd's bugs, e.g. https://bbs.archlinux.org/viewtopic.php?pid=1173031#p1173031 – anlar Jun 27 '14 at 15:57
  • 14
    To clean logs after a period of time rather than when they reach a certain size, you can set the parameter MaxRetentionSec instead of SystemMaxUse. See man journald.conf for more details. – joelostblom Mar 29 '18 at 13:08
  • 1
    Also, one may specify SystemKeepFree=1G, or something along those lines. In any case, logs are not supposed to exceed 4G ("each value is capped to 4G"). – x-yuri Apr 13 '18 at 09:37
218

Michael's answer is missing one thing: vacuuming only removes archived journal files, not active ones. To get rid of everything, you need to rotate the files first so that recent entries are moved to inactive files.

So, the complete answer to remove all entries seems to be

sudo journalctl --rotate
sudo journalctl --vacuum-time=1s

(Note that you cannot combine this into one journalctl command.)

By the way, some distributions have journald configured so that it writes logs to disk (/var/log/journal) while others keep logs in memory (/run/log/journal). I expect that in some cases it may be necessary to use sudo journalctl --flush first to get everything removed.

If you don't have --rotate in your version, you can use the --since argument to filter entries:

--since "2019-01-30 14:00:00"
--since today
Community
  • 1
Jan Warchoł
  • 3,091
  • 8
    journalctl: unrecognized option '--rotate' – stiv Oct 07 '18 at 12:22
  • 14
    while I get what the other answers are approaching (long term strategy) - the question is simple: how do you clear logs now (maybe you're not interested in the long term for your current task). This answers that question without making other assumptions and adds other great value to understanding journalctl. This should be the answer. – Marc Oct 20 '18 at 15:39
  • 5
    Original question was "how do I reset my logs for debugging purposes". This is the only answer that addresses that. And I'm really glad I found it. The rest are interesting journalctl factoids, but not answers to the questions. – Travis Griggs Oct 25 '19 at 19:08
  • 1
    Note that this is a one-off command. It sounded to me like it would permanently set the vacuum time to 1 second, but no, this just removes current logs without changing your configuration (which is what I wanted). – Luc May 26 '21 at 12:13
  • 1
    This appears to clear all systemd logs. How would you clear all logs pertaining to a particular service while allowing all other sevices to retain their log-entries? – Lonnie Best Jun 20 '22 at 06:34
  • 1
    Note that empty journal files still take up 8M, though, which may cause some confusion when running journalctl --disk-usage. You get an 'empty' file for the system and each user after the vacuum. – EML Jun 23 '22 at 10:39
  • Thanks.

    I think should be the accepted answer.

     – Mohamed Bana Feb 14 '23 at 21:47
  • Thanks for this. The single liner sudo journalctl --rotate --vacuum-time=1s is working for me in Debian 12, systemd 252 (252.22-1~deb12u1) – Pavin Joseph Feb 16 '24 at 08:35
32

On Arch linux, the closest I got was:

  • Edit /etc/systemd/journald.conf to set SystemMaxUse=1M
  • Restarting journal: sudo systemctl restart systemd-journald
  • Resetting SystemMaxUse=200M
  • Re-Restarting the journal

On my system, each journal file is 8MB, and the above cleared all but 3, bringing the total size to ~25MB.

My use-case was disabling CoW for BTRFS (just for the journal directory and subdirectories): sudo chattr +C /var/log/journal/*. The problem is, the attribute is only set on newly-created files, thus the desire to flush the journal.

helmingstay
  • 439
  • 6
    Your use-case was actually not needed. The point of disabling CoW on the journal is that it is frequently written to. That is not the case for the old rotated journal files, they just sit there. – Hjulle Mar 31 '15 at 10:03
  • 1
    I've set SystemMaxUse=1K, restarted systemd-journald, but journalctl still shows entries I want gone. How is this progress from flat text files? – Dan Dascalescu Sep 10 '16 at 04:18
29

Since --vacuum-time and --vacuum-size didn't do a thing for me I did the following:

$ sudo find /var/log/journal -name "*.journal" | xargs sudo rm 
$ sudo systemctl restart systemd-journald

It's not right, but it worked.

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
Matt
  • 766
  • On Debian Jessie, the path is /run/log. – Synchro Feb 12 '18 at 18:23
  • 4
    This is the currently correct answer. It would be nice if the journalctl command could do this but it appears unable. – Kevin Lyda Sep 26 '19 at 10:43
  • Some programs do not handle their logs properly and this may break them – 0x777C Dec 26 '19 at 13:42
  • 1
    This seems to be the only working command from all the answers here, at least for Ubuntu 18.04. 3 GB of /var/log/journal/* from about 3 years were removed by none of the "vacuum" variants mentioned in other answerd – Dweia Mar 15 '21 at 16:00
  • On Arch, the vacuum options cleared some intermediary stuff, but the log was always full of stuff from months ago sans the recent stuff. This is the only answer that truly cleared journalctl out – EkriirkE Mar 30 '23 at 14:44
19

A very brute force method to clean the entire log:

$ sudo journalctl --vacuum-time=1seconds

You can also use --vacuum-size as Michael mentoined.

Lanti
  • 415
15

Both --rotate and --vacuum-time=1s didn't work for me on CentOS. I was able to clear it like this:

sudo rm -rf /run/log/journal/*
stiv
  • 1,541
  • 1
    I found 2 directories with hexadecimal name in ./journal. The journalctl commands only works in the most recent one. So I had to delete the old directory manually and that is safe. After I just limit the size in journal conf. – KeitelDOG Feb 19 '19 at 20:40
  • 2
    On Ubuntu Server 20.04, that folder you mentioned exists, but there was nothing in it (ls -lah /run/log/journal/). – Lonnie Best Aug 02 '20 at 12:25
  • 1
    On Ubuntu the directory appears to be /var/log/journal/*. – Eerik Sven Puudist Nov 15 '20 at 20:32
  • Are you sure? What did you do after performing this action and how did you verify? I'm preparing RHEL 7 and RHEL 8 virtual machines for templateing with cloud-init and while loglines with older timestamps appear to be gone I can see the old hostname on the RHEL 7 machine which has no --rotate option. Yes you are messing with journald and delete its files (I'm even restarting journald system unit), but I think systemd in its design to be modern and trustworthy bites back and posts the content it has in memory right back. It might take a reboot, but it's there. – LiveWireBT Jan 30 '21 at 17:32
  • Regarding my previous comment I found that the hostname is compiled in the initrd: https://unix.stackexchange.com/a/284551/49853 and dracut -f -v solves my problem on RHEL 7. I opted for a solution using find since in some shells or under some circumstances expansion may not work: find "/run/log/journal/" "/var/log/journal/" "/var/run/log/journal/" -type f -delete. – LiveWireBT Jan 31 '21 at 03:13
11

My previous answer just got deleted for being "duplicated". Well, sorry for not being clear enough in my previous answer, but it was different from existing answers. So here's a more elaborated version:

journalctl -m --vacuum-time=1s did the trick for me. Please DO notice the -m flag, it merges all your journals and then clean them up. Without the -m flag, it didn't clean up anything in my case (on CentOS-7).

Hope it helps.

fengye87
  • 211
  • 2
  • 2
4

Create this file (and possibly its parent directory): /etc/systemd/journald.conf.d/max-size.conf

With contents:

[Journal]
SystemMaxUse=100M

The space will be freed after you reboot or run sudo systemctl restart systemd-journald

This will keep your journald log small now and forever. Because the config is stored in a dedicated file, there is no editing mess and it's easy to remove the config later (or see what exactly have you changed in the past). You can also specify maximum journal entries time with: MaxRetentionSec=3day

VasyaNovikov
  • 1,246
  • Docs for this technique: https://wiki.archlinux.org/title/Systemd/Journal#Journal_size_limit — https://wiki.archlinux.org/title/Systemd#Drop-in_files – WoodrowShigeru Jul 30 '23 at 08:21
4

I was facing the same situation as you. After some searching, I realize

  1. It is impossible to clear logs for a specific service without 3rd party script.
  2. journalctl --vacuum-time 1s can only clear archived logs. So you may find that the annoying logs still exist after this command.
  3. You can work around this by first journalctl --rotate. This command archives logs immediately so that '--vacuum-time 1s' will take effect.
  4. Actually after 'journalctl --rotate' these annoying logs should have disappeared. So the final answer should be journalctl --rotate.

P.S. Here are relevant parts of journalctl's help

  -N --fields                List all field names currently used
  -F --field=FIELD           List all values that a specified field takes
     --disk-usage            Show total disk usage of all journal files
     --vacuum-size=BYTES     Reduce disk usage below specified size
     --vacuum-files=INT      Leave only the specified number of journal files
     --vacuum-time=TIME      Remove journal files older than specified time
     --verify                Verify journal file consistency
     --sync                  Synchronize unwritten journal messages to disk
     --relinquish-var        Stop logging to disk, log to temporary file system
     --smart-relinquish-var  Similar, but NOP if log directory is on root mount
     --flush                 Flush all journal data from /run into /var
     --rotate                Request immediate rotation of the journal files
     --header                Show journal header information
     --list-catalog          Show all message IDs in the catalog
     --dump-catalog          Show entries in the message catalog
     --update-catalog        Update the message catalog database
     --setup-keys            Generate a new FSS key pair
Youran
  • 143
3

Also sudo journalctl --vacuum-files 1.

marcio
  • 141
2

journalctl -b will show only from the most recent boot. You can also use -b -1, -b -2 etc. Your horrendous day is still there but you won't have to see it, unless you need to.

sourcejedi
  • 50,249
David
  • 37
  • 2
2

  1. Back it up in case if you need it in future:

    cp /run/log/journal/<temp-string>/system.journal /mylog/dir/back/system.journal.bak

  2. Clear the file:

    cd /run/log/journal/<temp-string>/
>system.journal

  3. Check to see latest logs:

    journalctl -xe
Maxpm
  • 772
Girish KG
  • 121
  • Clear the file with a cd command? – Alexis Wilke Nov 04 '20 at 21:39
  • @AlexisWilke The cd command is just to navigate to the directory, the next line is bashism which truncates the size of the file to 0 (this answer assumes the shell used is Bash, and doesn't work with things like zsh) – Ferrybig Feb 08 '21 at 13:38
  • @Ferrybig Ah. Now that the formatting was fixed, I can see how that works. Before those two lines appeared on a single line. – Alexis Wilke Feb 08 '21 at 18:32
0

I was baking in a factory reset step at the end of a machine image provisioning script.

Ended up using this:

sudo journalctl --relinquish-var --rotate
sudo find /var/log -type f -print -delete
# very soon after here, shutdown happens & whole-OS machine snapshot is taken

This allows new instances spawned from this image to have logs starting from a clean slate.

So that, e.g. journalctl --list-boots will show only the boots of the instance itself — without phantom boots from previous life recorded by the image-provisioner instance.

ulidtko
  • 1,018
  • 8
  • 16
0

journalctl is a query command, and it is unnecessary to delete past logs in order to avoid querying them. If you want to start with a clean slate, then query only recent entries, and use the --follow flag to show entries made after you run that command.

journalctl --follow --since="$(date "+%Y-%m-%d %H:%M:%S")"

The above command uses the date command to format the current date and time properly for the --since flag to journalctl.

You can also type out some date in the past as a starting point, in case you need to track the logs across a reboot. Run the date command by itself to see the correct format, and make sure to use quotes around the date to avoid parsing issues.

jpaugh
  • 329
0

Adding my answer as found none to combine all actions below. On Linux Mint 21 based system to clear all logs I did:

sudo rm -r /var/log/* # to clear all "permanent" logs

sudo journalctl --vacuum-time=1s # to clear archived logs as per other answers


sudo find /run/log -name system.journal -exec dd if=/dev/zero of={} count=0 bs=1 ; # clear current log file similar to @Maxpm answer

Interestingly:

  1. deleting files in /run/log resulted in some being recreated but w/out access control to allow ordinary users see system entries - so clearing it is.
  2. clearing system.journal did not change its size (still 8Mb), but journalctl started to return "no entries". When I tried to first stop systemd journaling service, then clear the file, it became size 0 but reverted to 8Mb right after the service started.
Alex Martian
  • 1,035