0

I got two partitions, one for /var/log and another for /var/log/audit

But first one is showing full (and raising all the alrms) because of the second one, as it is inside. /var/log/audit account for disk space of /var/log even if they are separated partitions. here is the output for df -h

/dev/mapper/vg_system-lv_varlog
                  9.8G  9.7G     0 100% /var/log
/dev/mapper/vg_system-lv_audit
                   26G  7.1G   18G  30% /var/log/audit

I did check and yes, /var/log used space without /var/log/audit makes only 985M

[root@server log]# du -sh --exclude=audit
985M    .

And there is no hidden / deleted file (I checked with lsof)

so I got one partition with only 1Gb used but showing as full because of another partition inside it. should they not be independant for df and disk space? Am I missing something?

Regards

user377610
  • 1
  • Did you check for deleted/open files with `lsof -a +L1 /var/log`? Did you check four file system for defects? – Sven Sep 26 '16 at 10:02

1 Answers1

1

One partition is definitely NOT affecting the other - that much is certain. You're probably looking at mount point shadowing, an affect of having data underneath a subtree that has been mounted on a directory that was not empty. This is why we say to mount filesystems in empty directories - but that is not required in any way.

There is an easy way to see about this. You can bind mount the directory /var/log/ to /tmp/var/log (or some other arbitrary empty directory). An example of this can be seen here: mount -o bind /var/log /tmp/var/log

After doing this, you can see the contents of the filesystem of /var/log - and ONLY /var/log when looking within /tmp/var/log. So if you see something in /tmp/var/log/audit - well that shouldn't be there. And this will give you the ability to deal with it using normal tools (and WITHOUT unmounting filesystems all over the place). When you're done, unmount /tmp/var/log and go about your day.

Hopefully, that takes care of all of it for you.

Spooler
  • 7,046
  • 18
  • 29