linux使用lsof恢復誤刪除的nginx日誌
阿新 • • 發佈:2022-03-23
1.確保nginx在執行中,以及有日誌資料
[root@linux0224 ~]# tail -f /var/log/nginx/access.log [root@linux0224 ~]# lsof |grep /var/log/nginx/access.log nginx 5455 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log nginx 5456 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log nginx 5457 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log nginx 5458 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log nginx 5459 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log [root@linux0224 ~]#
2.刪除日誌檔案,rm -f /var/log/nginx/access.log
[root@linux0224 ~]# rm -f /var/log/nginx/access.log
[root@linux0224 ~]#
[root@linux0224 ~]# ll /var/log/nginx/access.log
ls: cannot access /var/log/nginx/access.log: No such file or directory
[root@linux0224 ~]#
3.以lsof命令的幫助,恢復該日誌資料 [root@linux0224 ~]# lsof --help lsof: illegal option character: - lsof: -e not followed by a file system path: "lp" lsof 4.87 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s] [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s] [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names] Defaults in parentheses; comma-separated set (s) items; dash-separated ranges. -?|-h list help -a AND selections (OR) -b avoid kernel blocks -c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files -d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY* -i select IPv[46] files -K list tasKs (threads) -l list UID numbers -n no host names -N select NFS files -o list file offset -O no overhead *RISKY* -P no port names -R list paRent PID -s list file size -t terse listing -T disable TCP/TPI info -U select Unix socket -v list version info -V verbose search +|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z] -- end option scan +f|-f +filesystem or -file names +|-f[gG] flaGs -F [f] select fields; -F? for help +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0) +m [m] use|create mount supplement +|-M portMap registration (-) -o o o 0t offset digits (8) -p s exclude(^)|select PIDs -S [t] t second stat timeout (15) -T qs TCP/TPI Q,St (s) info -g [s] exclude(^)|select and print process group IDs -i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list] +|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever. An optional suffix to t is m<fmt>; m must separate t from <fmt> and <fmt> is an strftime(3) format for the marker line. -s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s). -u s exclude(^)|select login|UID set s -x [fl] cross over +d|+D File systems or symbolic Links names select named files or files on named file systems Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
4.再次檢視檔案描述符(檔名多了一個deleted被刪除的標記)
[root@linux0224 ~]# lsof |grep /var/log/nginx/access.log nginx 5455 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log (deleted) nginx 5456 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log (deleted) nginx 5457 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log (deleted) nginx 5458 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log (deleted) nginx 5459 root 5w REG 8,3 0 2535358 /var/log/nginx/access.log (deleted) [root@linux0224 ~]#
5.此時進入linux中一個管理所有程序的目錄,/proc,找到對應的程序id目錄(父親程序id),進入其管理檔案描述符的地方
[root@linux0224 ~]# cd /proc/5455/fd
[root@linux0224 fd]# pwd
/proc/5455/fd
[root@linux0224 fd]# ll
total 0
lrwx------. 1 root root 64 Mar 23 20:26 0 -> /dev/null
lrwx------. 1 root root 64 Mar 23 20:26 1 -> /dev/null
lrwx------. 1 root root 64 Mar 23 20:26 10 -> socket:[78890]
lrwx------. 1 root root 64 Mar 23 20:26 11 -> socket:[78891]
lrwx------. 1 root root 64 Mar 23 20:26 12 -> socket:[78892]
lrwx------. 1 root root 64 Mar 23 20:26 13 -> socket:[78893]
lrwx------. 1 root root 64 Mar 23 20:26 14 -> socket:[78894]
l-wx------. 1 root root 64 Mar 23 20:26 2 -> /var/log/nginx/error.log
lrwx------. 1 root root 64 Mar 23 20:26 3 -> socket:[78887]
l-wx------. 1 root root 64 Mar 23 20:26 4 -> /var/log/nginx/error.log
l-wx------. 1 root root 64 Mar 23 20:26 5 -> /var/log/nginx/access.log (deleted)
lrwx------. 1 root root 64 Mar 23 20:26 6 -> socket:[77985]
lrwx------. 1 root root 64 Mar 23 20:26 7 -> socket:[77986]
lrwx------. 1 root root 64 Mar 23 20:26 8 -> socket:[78888]
lrwx------. 1 root root 64 Mar 23 20:26 9 -> socket:[78889]
[root@linux0224 fd]#
6.我們看到的這個5軟連線檔案,就對應了剛才的access.log日誌檔案
[root@linux0224 fd]# cat 5
** 7.恢復此檔案描述符的資料,到日誌檔案即可完成檔案恢復**
[root@yuchao-linux01 fd]# cat 5 > /var/log/nginx/access.log
8.重啟nginx即可
[root@linux0224 ~]# systemctl restart nginx
[root@linux0224 ~]#