How to clear journalctl

I couldn’t find in google any safe way to clear systemd journal. Do anyone know any safe and reliable way to do so?

Let’s say I was experimenting with something and my logs got cluttered with various error messages. Moreover I’m displaying my journal on my desktop by using Conky. I really don’t want to see those errors as they remind me an awful day I was fixing this stuff, I want to feel like a fresh man after this horror. I think everyone will agree that this is a valid reason to clear the logs 😛 .

Asked By: Łukasz Zaroda

||

You don’t typically clear the journal yourself. That is managed by systemd itself and old logs are rotated out as new data comes in. The correct thing to do would be to schedule journald to only keep as much data as you are interested in. The most usual thing to adjust is the total disk space it is allowed to take up. Once it crosses this boundry it will start pitching old entries to stay near this value.

You can set this in /etc/systemd/journald.conf like so:

SystemMaxUse=100M

This will be enforced on the next reboot or restart of the journald service:

$ systemctl restart systemd-journald
Answered By: Caleb

On Arch linux, the closest I got was:

  • Edit /etc/systemd/journald.conf to set SystemMaxUse=1M
  • Restarting journal: sudo systemctl restart systemd-journald
  • Resetting SystemMaxUse=200M
  • Re-Restarting the journal

On my system, each journal file is 8MB, and the above cleared all but 3, bringing the total size to ~25MB.

My use-case was disabling CoW for BTRFS (just for the journal directory and subdirectories): sudo chattr +C /var/log/journal/*. The problem is, the attribute is only set on newly-created files, thus the desire to flush the journal.

Answered By: helmingstay

The self maintenance method is to vacuum the logs by size or time.

Retain only the past two days:

journalctl --vacuum-time=2d

Retain only the past 500 MB:

journalctl --vacuum-size=500M

man journalctl for more information.

Answered By: Michael

journalctl -b will show only from the most recent boot. You can also use -b -1, -b -2 etc. Your horrendous day is still there but you won’t have to see it, unless you need to.

Answered By: David

A very brute force method to clean the entire log:

$ sudo journalctl --vacuum-time=1seconds

You can also use --vacuum-size as Michael mentoined.

Answered By: Lanti

Since --vacuum-time and --vacuum-size didn’t do a thing for me I did the following:

$ sudo find /var/log/journal -name "*.journal" | xargs sudo rm 
$ sudo systemctl restart systemd-journald

It’s not right, but it worked.

Answered By: Matt

Michael’s answer is missing one thing: vacuuming only removes archived journal files, not active ones. To get rid of everything, you need to rotate the files first so that recent entries are moved to inactive files.

So, the complete answer to remove all entries seems to be

sudo journalctl --rotate
sudo journalctl --vacuum-time=1s

(Note that you cannot combine this into one journalctl command.)

By the way, some distributions have journald configured so that it writes logs to disk (/var/log/journal) while others keep logs in memory (/run/log/journal). I expect that in some cases it may be necessary to use sudo journalctl --flush first to get everything removed.

If you don’t have --rotate in your version, you can use the --since argument to filter entries:

--since "2019-01-30 14:00:00"
--since today
Answered By: Jan Warchoł

Both –rotate and –vacuum-time=1s didn’t work for me on CentOS. I was able to clear it like this:

sudo rm -rf /run/log/journal/*
Answered By: stiv
  1. Back it up in case if you need it in future:

    cp /run/log/journal/<temp-string>/system.journal /mylog/dir/back/system.journal.bak
    
  2. Clear the file:

    cd /run/log/journal/<temp-string>/
    >system.journal
    
  3. Check to see latest logs:

    journalctl -xe
    
Answered By: Girish KG

My previous answer just got deleted for being “duplicated”. Well, sorry for not being clear enough in my previous answer, but it was different from existing answers. So here’s a more elaborated version:

journalctl -m --vacuum-time=1s did the trick for me. Please DO notice the -m flag, it merges all your journals and then clean them up. Without the -m flag, it didn’t clean up anything in my case (on CentOS-7).

Hope it helps.

Answered By: fengye87

Also sudo journalctl --vacuum-files 1.

Answered By: marcio

Create this file (and possibly its parent directory):
/etc/systemd/journald.conf.d/max-size.conf

With contents:

[Journal]
SystemMaxUse=100M

The space will be freed after you reboot or run sudo systemctl restart systemd-journald

This will keep your journald log small now and forever. Because the config is stored in a dedicated file, there is no editing mess and it’s easy to remove the config later (or see what exactly have you changed in the past). You can also specify maximum journal entries time with: MaxRetentionSec=3day

Answered By: VasyaNovikov

I was facing the same situation as you. After some searching, I realize

  1. It is impossible to clear logs for a specific service without 3rd party script.
  2. journalctl --vacuum-time 1s can only clear archived logs. So you may find that the annoying logs still exist after this command.
  3. You can work around this by first journalctl --rotate. This command archives logs immediately so that ‘–vacuum-time 1s’ will take effect.
  4. Actually after ‘journalctl –rotate’ these annoying logs should have disappeared. So the final answer should be journalctl --rotate.

P.S. Here are relevant parts of journalctl’s help

  -N --fields                List all field names currently used
  -F --field=FIELD           List all values that a specified field takes
     --disk-usage            Show total disk usage of all journal files
     --vacuum-size=BYTES     Reduce disk usage below specified size
     --vacuum-files=INT      Leave only the specified number of journal files
     --vacuum-time=TIME      Remove journal files older than specified time
     --verify                Verify journal file consistency
     --sync                  Synchronize unwritten journal messages to disk
     --relinquish-var        Stop logging to disk, log to temporary file system
     --smart-relinquish-var  Similar, but NOP if log directory is on root mount
     --flush                 Flush all journal data from /run into /var
     --rotate                Request immediate rotation of the journal files
     --header                Show journal header information
     --list-catalog          Show all message IDs in the catalog
     --dump-catalog          Show entries in the message catalog
     --update-catalog        Update the message catalog database
     --setup-keys            Generate a new FSS key pair
Answered By: Youran

I was baking in a factory reset step at the end of a machine image provisioning script.

Ended up using this:

sudo journalctl --relinquish-var --rotate
sudo find /var/log -type f -print -delete
# very soon after here, shutdown happens & whole-OS machine snapshot is taken

This allows new instances spawned from this image to have logs starting from a clean slate.

So that, e.g. journalctl --list-boots will show only the boots of
the instance itself — without phantom boots from previous life recorded
by the image-provisioner instance.

Answered By: ulidtko

journalctl is a query command, and it is unnecessary to delete past logs in order to avoid querying them. If you want to start with a clean slate, then query only recent entries, and use the --follow flag to show entries made after you run that command.

journalctl --follow --since="$(date "+%Y-%m-%d %H:%M:%S")"

The above command uses the date command to format the current date and time properly for the --since flag to journalctl.

You can also type out some date in the past as a starting point, in case you need to track the logs across a reboot. Run the date command by itself to see the correct format, and make sure to use quotes around the date to avoid parsing issues.

Answered By: jpaugh

Adding my answer as found none to combine all actions below. On Linux Mint 21 based system to clear all logs I did:

sudo rm -r /var/log/* # to clear all "permanent" logs

sudo journalctl --vacuum-time=1s # to clear archived logs as per other answers

sudo find /run/log -name system.journal -exec dd if=/dev/zero of={} count=0 bs=1 ; # clear current log file similar to @Maxpm answer

Interestingly:

  1. deleting files in /run/log resulted in some being recreated but w/out access control to allow ordinary users see system entries – so clearing it is.
  2. clearing system.journal did not change its size (still 8Mb), but journalctl started to return "no entries". When I tried to first stop systemd journaling service, then clear the file, it became size 0 but reverted to 8Mb right after the service started.
Answered By: Alex Martian
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.