CONDITION:
1)without rebooting server.
2)we can get Only the Log files in this method.
LOG FILES are Generated In Two ways
1)syslog Daemon.
Example : -maillog,cron,var-log-message,
2)Using File Descriptor Without syslog Daemon
Example : http,
Note : Using File Descriptor (Input,Output,Error redirection) Generate Log Files.
STUDY:
#cat /proc/"Process ID"/fd List out the file descriptor file which are used by these specific Process ID.
Using syslog Daemon Recovering Log Files
1)Find the Process Id Of the syslog Daemon
#ps -ef | grep syslog
2)List out the Specific Process ID File Descriptor Files.
#ll /proc/"PID of syslog"/fd/
For Example if PID is 1947 then,
# ll /proc/1947/fd/
lrwx------ 1 root root 64 Nov 4 12:38 0 -> socket:[4341]
l-wx------ 1 root root 64 Nov 4 12:38 1 -> /var/log/messages
l-wx------ 1 root root 64 Nov 4 12:38 2 -> /var/log/secure
l-wx------ 1 root root 64 Nov 4 12:38 3 -> /var/log/maillog
l-wx------ 1 root root 64 Nov 4 12:38 4 -> /var/log/cron
l-wx------ 1 root root 64 Nov 4 12:38 5 -> /var/log/spooler
l-wx------ 1 root root 64 Nov 4 12:38 6 -> /var/log/boot.log
l-wx------ 1 root root 64 Nov 4 12:38 7 -> /var/log/news/news.crit
l-wx------ 1 root root 64 Nov 4 12:38 8 -> /var/log/news/news.err
l-wx------ 1 root root 64 Nov 4 12:38 9 -> /var/log/news/news.notice
3)Even Though we deleted that file, it has some soft link access. Using these features.
we can recover these file.
For example : if we want to recover /var/log/cron file. then
l-wx------ 1 root root 64 Nov 4 12:38 4 -> /var/log/cron
#cp -var 4 /tmp/cron.backup
Recover Log file for Specific Service Which are Not maintain by syslog Daemon
1) This is also the same Method. But find out the Particular service Process Id rather than syslog Daemon PID. For Example http Service.
#ps -ef | grep http
# lsof -p "PID of http" | grep log
2) Remaining Same as the Above Method.
#ls /proc/"PID of http"/fd
1)without rebooting server.
2)we can get Only the Log files in this method.
LOG FILES are Generated In Two ways
1)syslog Daemon.
Example : -maillog,cron,var-log-message,
2)Using File Descriptor Without syslog Daemon
Example : http,
Note : Using File Descriptor (Input,Output,Error redirection) Generate Log Files.
STUDY:
#cat /proc/"Process ID"/fd List out the file descriptor file which are used by these specific Process ID.
Using syslog Daemon Recovering Log Files
1)Find the Process Id Of the syslog Daemon
#ps -ef | grep syslog
2)List out the Specific Process ID File Descriptor Files.
#ll /proc/"PID of syslog"/fd/
For Example if PID is 1947 then,
# ll /proc/1947/fd/
lrwx------ 1 root root 64 Nov 4 12:38 0 -> socket:[4341]
l-wx------ 1 root root 64 Nov 4 12:38 1 -> /var/log/messages
l-wx------ 1 root root 64 Nov 4 12:38 2 -> /var/log/secure
l-wx------ 1 root root 64 Nov 4 12:38 3 -> /var/log/maillog
l-wx------ 1 root root 64 Nov 4 12:38 4 -> /var/log/cron
l-wx------ 1 root root 64 Nov 4 12:38 5 -> /var/log/spooler
l-wx------ 1 root root 64 Nov 4 12:38 6 -> /var/log/boot.log
l-wx------ 1 root root 64 Nov 4 12:38 7 -> /var/log/news/news.crit
l-wx------ 1 root root 64 Nov 4 12:38 8 -> /var/log/news/news.err
l-wx------ 1 root root 64 Nov 4 12:38 9 -> /var/log/news/news.notice
3)Even Though we deleted that file, it has some soft link access. Using these features.
we can recover these file.
For example : if we want to recover /var/log/cron file. then
l-wx------ 1 root root 64 Nov 4 12:38 4 -> /var/log/cron
#cp -var 4 /tmp/cron.backup
Recover Log file for Specific Service Which are Not maintain by syslog Daemon
1) This is also the same Method. But find out the Particular service Process Id rather than syslog Daemon PID. For Example http Service.
#ps -ef | grep http
# lsof -p "PID of http" | grep log
2) Remaining Same as the Above Method.
#ls /proc/"PID of http"/fd
0 comments:
Post a Comment