Tuesday, 28 June 2011

Resolving overflows in the /var file system:


Resolving overflows in the /var file system:

Check the following when the /var file system has become full.

You can use the find command to look for large files in the /var directory. For example:

find /var -xdev -size +2048 -ls| sort -r +6

For detailed information, see the command description for the find command.

Check for obsolete or leftover files in /var/tmp.

Check the size of the /var/adm/wtmp file, which logs all logins, rlogins and telnet sessions. The log will grow indefinitely unless system accounting is running. System accounting clears it out nightly. The /var/adm/wtmp file can be cleared out or edited to remove old and unwanted information. To clear it, use the following command:

cp /dev/null /var/adm/wtmp

To edit the /var/adm/wtmp file, first copy the file temporarily with the following command:
/usr/sbin/acct/fwtmp < /var/adm/wtmp >/tmp/out

Edit the /tmp/out file to remove unwanted entries then replace the original file with the following command:
/usr/sbin/acct/fwtmp -ic < /tmp/out > /var/adm/wtmp

Clear the error log in the /var/adm/ras directory using the following procedure. The error log is never cleared unless it is manually cleared.

Note: Never use the cp /dev/null command to clear the error log. A zero-length errlog file disables the error logging functions of the operating system and must be replaced from a backup.
Stop the error daemon using the following command:
/usr/lib/errstop
Remove or move to a different filesystem the error log file by using one of the following commands:

rm /var/adm/ras/errlog
or
mv /var/adm/ras/errlog filename

Where filename is the name of the moved errlog file.

Note: The historical error data is deleted if you remove the error log file.

Restart the error daemon using the following command:

/usr/lib/errdemon

Note: Consider limiting the errlog by running the following entries in cron:

0 11 * * * /usr/bin/errclear -d S,O 30
0 12 * * * /usr/bin/errclear -d H 90

Check whether the trcfile file in this directory is large. If it is large and a trace is not currently being run, you can remove the file using the following command:

rm /var/adm/ras/trcfile

If your dump device is set to hd6 (which is the default), there might be a number of vmcore* files in the /var/adm/ras directory. If their file dates are old or you do not want to retain them, you can remove them with the rm command.

Check the /var/spool directory, which contains the queueing subsystem files. Clear the queueing subsystem using the following commands:

stopsrc -s qdaemon
rm /var/spool/lpd/qdir/*
rm /var/spool/lpd/stat/*
rm /var/spool/qdaemon/*
startsrc -s qdaemon

Check the /var/adm/acct directory, which contains accounting records. If accounting is running, this directory may contain several large files.

Check the /var/preserve directory for terminated vi sessions. Generally, it is safe to remove these files. If a user wants to recover a session, you can use the vi -r command to list all recoverable sessions. To recover a specific session, usevi -r filename.

Modify the /var/adm/sulog file, which records the number of attempted uses of the su command and whether each was successful. This is a flat file and can be viewed and modified with a favorite editor. If it is removed, it will be recreated by the next attempted su command. Modify the /var/tmp/snmpd.log, which records events from the snmpd daemon. If the file is removed it will be recreated by the snmpd daemon.

Note: The size of the /var/tmp/snmpd.log file can be limited so that it does not grow indefinitely. Edit the /etc/snmpd.conf file to change the number (in bytes) in the appropriate section for size.


Issue a find - command to select those files older than e.g. 8 days and delete them.
This command can be put into the crontab file and be executed on a daily basis.

00 04 * * * find /var/adm/cron/log -ctime +8 -exec rm -f {} \;
(will delete all files older then 8 days, every day at 4am)

No comments:

Post a Comment