Frequently Asked Question

What is /var for and what are /var/log, /var/lib, and /var/cache?

/var holds variable data: files that change during normal system operation. The distinction matters because /usr can be mounted read-only or shared, while /var must be local and writable on every machine. Inside it, three subdirectories matter most. /var/log is where system services append messages, kernel events, authentication attempts, web server requests, cron job output, and is usually the first place to look when something has gone wrong. /var/lib holds persistent application state: the package manager's database, MySQL's tables, systemd's journal binary files, the SSH host keys' backing files.

/var/cache holds regenerable data: APT's downloaded package archives, font caches, the output of man -k. You can delete anything under /var/cache and the system will simply rebuild it on demand, useful when the disk is full. /var also contains /var/spool (mail queues, print jobs, cron tabs awaiting execution), /var/tmp (persistent temporary files), and the legacy /var/run symlink, which on modern systems points to /run.