After checking, I found that the file /var/log/warn is so big (3.7GB)
-rw-r----- 1 root root 3.7G May 2 00:06 warn
So I tried to remove it by command “rm warn”. Then the file disappeared but the disk usage is no changed, still 83%.
Please help support me
Can the /var/log/warn file be recovered?
if I remove that file, can it be generated automatically. I wait for some hours but it not be generated again. So I create a Null warn file but system log cannot be written there.
How can I release the /var partition in this case?
You say you use “Suse Linux”, but fail to give the version.
I get the strong idea that you you SUSE Linux Enterprise Desktop or Server. If that is the case, you are on the wrong forums. These are the openSUSE forums. The SLES/SLED forums are at https://forums.suse.com/forum.php .
> After checking, I found that the file /var/log/warn is so big (3.7GB)
You should have investigated what it contained before removing the log.
There is something hugely wrong in that machine.
> So I tried to remove it by command “rm warn”. Then the file disappeared
> but the disk usage is no changed, still 83%.
When you delete a file, it is not actually deleted if something opened
it before, and did not close. lsof might tell you what. As a last
resource, reboot.
Besides that, if you are using btrfs, you need to clear the snapshots.
> Please help support me
> - Can the /var/log/warn file be recovered?
You mean undeleted? Not that I know. In theory yes, because something
has it. But I don’t know how it could be done.
But if you are using btrfs, it is trivial.
> - if I remove that file, can it be generated automatically.
Of course it is. Eventually, when syslog writes a new entry.
The content of file can be recovered as long as it is kept open. Most likely it is some syslog process; so find its PID and check /proc/PID/fd/ for link to /var/log/warn that says “(deleted)”. Then you can copy content using this name. But then you need additional space somewhere …
bor@opensuse:~> LC_ALL=C ll /tmp/foo
ls: cannot access /tmp/foo: No such file or directory
bor@opensuse:~> LC_ALL=C ll /proc/1088/fd/
total 0
lr-x------ 1 bor bor 64 May 3 22:26 0 -> /tmp/foo (deleted)
lrwx------ 1 bor bor 64 May 3 22:26 1 -> /dev/pts/1
lrwx------ 1 bor bor 64 May 3 22:26 2 -> /dev/pts/1
bor@opensuse:~> cat /proc/1088/fd/0
foo
bor@opensuse:~> cp /proc/1088/fd/0 /tmp/bar
bor@opensuse:~> cat /tmp/bar
foo
> The content of file can be recovered as long as it is kept open. Most
> likely it is some syslog process; so find its PID and check
> /proc/-PID-/fd/ for link to /var/log/warn that says “(deleted)”. Then
> you can copy content using this name. But then you need additional space
> somewhere …
If the question is how to reclaim the space covered by the file, you may want to send a HUP signal to rsyslogd to tell it to close the files it usually keeps open until restarted.