# Var space full



## bloodhound (Jan 21, 2009)

I have a problem: 

Freebsd is repoarting that the space on /var is full:


```
testlab# df -ih
Filesystem     Size    Used   Avail Capacity iused   ifree %iused  Mounted on
/dev/ad0s1a    496M    353M    103M    77%    3764   62026    6%   /
devfs          1.0K    1.0K      0B   100%       0       0  100%   /dev
/dev/ad0s1e    496M     12K    456M     0%       6   65784    0%   /tmp
/dev/ad0s1f     69G    2.2G     61G     3%  209146 9140996    2%   /usr
/dev/ad0s1d    1.4G    1.4G    -86M   106%     729  211237    0%   /var
```

Problem is that i cannot anything big there. 
with du :


```
du -sh /var/
8.4M    /var/
```

I really have no ideea what to do. 
I gooled the problem but i only found problems related to mysql and such, but this box only has pf on it and that is about all.
I also checked the pflog file and it is only a couple of kb in size so that is not the problem ...

If anyone has any solutions pls let me know.

Thank you


----------



## SirDice (Jan 21, 2009)

```
# cd /var
# du -sk * | sort -n
```
That should show you which directory is filling up space. Most likely it's /var/tmp.


----------



## ale (Jan 21, 2009)

It could be also /var/crash


----------



## DutchDaemon (Jan 21, 2009)

Or a stale file descriptor pointing to a chunk of data that's no longer there (can happen when a program drops off without cleaning up, sometimes deleted logfiles 'stay open', etc.). If the other solutions don't work, drop to single user mode and fsck -y /var.


----------



## danger@ (Jan 21, 2009)

just restarting running services might be sufficient. e.g. if the op has removed apache logs, but haven't restarted apache, the descriptors will remain open and the space won't be freed untill the apache restart; same applies to most of other services including syslogd(8).


----------



## DutchDaemon (Jan 21, 2009)

In this case (OP says he's only running pf) restarting /etc/rc.d/pf and /etc/rc.d/pflog may accomplish 'closure' as well.


----------



## bloodhound (Jan 21, 2009)

```
du -skh * | sort -n
2.0K    account
2.0K    audit
2.0K    empty
2.0K    games
2.0K    heimdal
2.0K    preserve
2.0K    rwho
4.0K    crash
4.0K    cron
4.0K    msgs
4.0K    tmp
6.0K    at
7.4M    db
 14K    backups
 18K    spool
 22K    yp
 32K    run
 48K    named
402K    mail
486K    log
```

So there are no big files in /var. Fsck seems to be the only solution. Unfortunately i cannot drop to single user atm since i cannot stop it. This fbox is running 24/7.


----------



## DutchDaemon (Jan 21, 2009)

Try restarting some services. Maybe /etc/rc.d/pflog first, if all you're running on that box is pf and pflog. Are you running anything from /usr/local/etc/rc.d that logs to /var? Try restarting those as well. In other words: try restarting anything for which you have a "YES" in rc.conf.


----------



## trev (Jan 21, 2009)

Did you try re-starting the services as suggested earlier? Worth a shot.

[Great minds  ]


----------



## danger@ (Jan 21, 2009)

you really need to identify what deamons are running on that box and restart them...there's a very good chance this will help.


----------



## bloodhound (Jan 21, 2009)

I forgot to mention earlier but yes i restarted pf before i posted my 2nd post.


----------



## bloodhound (Jan 21, 2009)

Finally i found the problem. Danger u were right, the insane amount of space was due to openvpn. The moment i stopped it the space on /var went to 1%. 

Thx for the help


----------



## DutchDaemon (Jan 21, 2009)

Danger must be psychic


----------



## kaboofa (Aug 2, 2010)

Hi all,

I had the same problem and I found that apache22 was using a huge amount of space in /var. After a daemon restart, every thing's all right.

Thanks for your help.

KaB


----------



## manefesto (Aug 22, 2011)

Sorry for necropost.
I have that problem.
After apache2 restart,every thing's all right.
When solved problem without restart apache ?


----------



## SirDice (Aug 22, 2011)

manefesto said:
			
		

> When solved problem without restart apache ?


Sending a SIGHUP to the apache process should be enough.


----------

