`/var`

Table of Contents

Purpose of `/var`

/var stands for “variable.” It contains files that change over time while the system is running. Unlike many parts of the filesystem that stay relatively static (like programs in /usr/bin), /var is where Linux stores:

Logs that grow as services run
Caches that can be safely regenerated
Queues and temporary data for services
Databases and other frequently updated files
Spools for mail, printing, and scheduled jobs

Because the contents of /var grow and change, it’s a common source of disk usage problems and is important for troubleshooting.

Typical Layout Inside `/var`

Exact contents can vary by distribution, but you’ll usually see directories like these:

/var/log – System and application logs
/var/cache – Cache data for applications and package managers
/var/tmp – Temporary files that survive reboots (unlike /tmp)
/var/spool – Queues (“spools”) for services like mail, printing, cron
/var/lib – Persistent state data for services (databases, package info)
/var/run (or /run) – Runtime state (PID files, sockets); often a symlink
/var/lock – Lock files preventing concurrent access to resources
/var/mail or /var/spool/mail – Local user mailboxes (on systems using local mail)

You don’t need to memorize all of these immediately, but it helps to have a rough idea what lives where.

`/var/log`: Logs

This is the most important subdirectory for basic administration and troubleshooting.

Common things you might find:

/var/log/syslog or /var/log/messages
General system log, including many services.
/var/log/auth.log or entries inside /var/log/secure
Authentication-related logs: logins, sudo usage, SSH attempts.
/var/log/dmesg
Kernel boot messages (also available through dmesg).
Application-specific logs, e.g.:

/var/log/apache2/ or /var/log/httpd/ for web servers
/var/log/mysql/ or /var/log/mariadb/ for databases
/var/log/Xorg.0.log for the graphical display server (on some systems)

Typical beginner uses:

Check why something failed:

View the last lines of a log:

    tail /var/log/syslog
    tail /var/log/auth.log

Watch logs in real time while reproducing an issue:

  sudo tail -f /var/log/syslog

Permissions are usually restricted; you’ll often need sudo to read many log files.

`/var/cache`: Caches

Caches speed things up by storing data that can be regenerated if removed.

Examples you might see:

/var/cache/apt/ (Debian/Ubuntu)
Downloaded .deb packages from APT.
/var/cache/dnf/ (Fedora/RHEL-based)
DNF’s downloaded package data.
Application caches (web browsers, package managers, services).

Key ideas:

Deleting cache does not usually break software; it might just re-download or re-generate data.
Clearing caches can free disk space if /var is full, but they will likely grow again over time.
Use the package manager’s own cleanup commands where possible, e.g.:

  sudo apt clean
  sudo dnf clean all

`/var/tmp`: Long-Lived Temporary Files

Both /tmp and /var/tmp store temporary data, but:

/tmp is often cleared on reboot.
/var/tmp is meant for temporary files that should survive reboots.

Programs use /var/tmp for:

Temporary files that might be needed after a reboot
Short-lived but not strictly “session-only” data

For a beginner:

You generally don’t need to manage /var/tmp manually.
Don’t rely on it for important personal files — it’s still “temporary.”

`/var/spool`: Queues and Spools

A “spool” is a directory where data waits to be processed. /var/spool contains queues for services.

Common subdirectories:

/var/spool/cron/ or /var/spool/cron/crontabs/
Files that define scheduled jobs (cron jobs).
/var/spool/mail/ or /var/mail/
Local mailboxes; each user may have a file with their username.
/var/spool/cups/ (or similar)
Print jobs waiting to be printed.
/var/spool/mqueue/ (on some mail systems)
Messages waiting to be delivered.

Typical beginner relevance:

Understanding that “stuck” emails or print jobs might pile up here.
Knowing that cron’s configuration files often live under /var/spool/cron (exact path varies by distro).

`/var/lib`: Service Data and State

/var/lib holds persistent data used by services and applications — usually not user documents, but internal service state.

Examples include:

/var/lib/dpkg/ (Debian/Ubuntu)
Database of installed packages (dpkg).
/var/lib/rpm/ (RPM-based systems)
RPM database.
/var/lib/mysql/ or /var/lib/mariadb/
Actual on-disk data for MySQL/MariaDB.
/var/lib/docker/
Docker images, containers, and volumes.
/var/lib/systemd/, /var/lib/NetworkManager/, etc.
State for system services.

Important points:

This data is not easily re-generated; deleting things here can break packages or services.
If you’re troubleshooting disk usage, be cautious about touching /var/lib.
Backups of services (databases, containers) often involve directories under /var/lib.

`/var/run` and `/run`: Runtime Data

On many modern systems:

/run is a temporary filesystem (often in RAM).
/var/run is a compatibility symlink pointing to /run.

These hold:

PID files (process ID info), e.g.:

/run/sshd.pid

Runtime sockets and communication endpoints, e.g.:

/run/systemd/
/run/dbus/

Files here:

Only exist while the system is running.
Are recreated at boot by services.

As a beginner, you may see these mentioned in documentation or error messages, but you rarely need to edit them directly.

`/var/lock`: Lock Files

Lock files help ensure that only one process uses a resource at a time.

Typical purposes:

Prevent simultaneous access to the same device or file (e.g., serial ports).
Indicate that a resource is “in use.”

For most day-to-day use:

You rarely touch /var/lock manually.
Leftover lock files after a crash can sometimes cause “resource busy” errors; usually, system tools handle this.

`/var` and Disk Space Problems

Because so many growing files live under /var, it’s a common culprit when your disk gets full.

Symptoms of a full /var partition:

Package installations or updates fail.
Logs stop being written.
Services crash or refuse to start.

Basic checks:

Overall disk usage:

  df -h

Which directories in /var are large:

  sudo du -sh /var/*

Beginner-friendly cleanup approaches:

Clear package caches with the package manager (apt clean, dnf clean all, etc.).
Rotate or remove old logs via log management tools (covered in other chapters), rather than deleting random files blindly.

Backups and `/var`

When thinking about what to back up:

High priority:

Data under /var/lib for important services (databases, containers, some application data).
Sometimes specific logs under /var/log (if you need them for auditing or debugging).

Lower priority (often can be skipped):

/var/cache (re-creatable).
/var/tmp (temporary).
Many runtime files in /run or /var/run (re-created at boot).

This distinction helps when planning backups or troubleshooting space usage.

Summary

/var holds variable data that changes as the system runs.
It’s crucial for logs, caches, queues, and service state.
Knowing the role of key subdirectories like /var/log, /var/cache, /var/tmp, /var/spool, /var/lib, and /run makes troubleshooting and basic administration much easier.
Be careful deleting things under /var: caches and some temp files are usually safe to clear; service data in /var/lib is not.

Comments

Please login to add a comment.

Don't have an account? Register now!