|
losf找回丢失文件的两个前提条件:1.知道文件名 2.运行过这个文件 假如由于误操作将/var/log/messages文件删除掉了,那么这时要将/var/log/messages文件恢复的方法如下:首先使用lsof来查看当前是否有进程打开/var/logmessages文件,如下:
# lsof |grep /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
syslogd 14572 root 1w REG 253,0 5584 1737237 /var/log/messages
#rm –f /var/log/messages
# lsof |grep /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
syslogd 14572 root 1w REG 253,0 5584 1737237 /var/log/messages (deleted)
从上面的信息可以看到 PID 14572(syslogd)打开文件的文件描述符为 1。同时还可以看到/var/log/messages已经标记被删除了。因此我们可以在 /proc/14572/fd/1 (fd下的每个以数字命名的文件表示进程对应的文件描述符)中查看相应的信息,如下:
# tail -n 10 /proc/14572/fd/1
Feb 4 20:02:25 host191 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Feb 4 20:02:45 host191 root: aaa
Feb 4 20:05:07 host191 dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
Feb 4 20:05:07 host191 dhclient: DHCPACK from 192.168.0.254
Feb 4 20:05:07 host191 dhclient: bound to 192.168.0.191 -- renewal in 718 seconds.
Feb 4 20:15:50 host191 syslogd 1.4.1: restart.
Feb 4 20:15:50 host191 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Feb 4 20:17:05 host191 dhclient: DHCPREQUEST on eth0 to 192.168.0.254 port 67
Feb 4 20:17:05 host191 dhclient: DHCPACK from 192.168.0.254
Feb 4 20:17:05 host191 dhclient: bound to 192.168.0.191 -- renewal in 804 seconds.# cat /proc/14572/fd/1 》 /var/log/messages
cat /proc/14572/fd/1 > /var/log/message
| 
私信
