Mainly Linux


Recover files using lsof

lsof is a Linux tool which can show open files and network connections, and even recover deleted files.

If you have ever deleted a file by mistake; been clearing up log files, or just used rm without thinking, there is a way of recovering that deleted file. For example, to recover a missing error_log or access_log used by Apache you can search for it via this command:

lsof | grep access_log

Which outputs:

httpd 26120 apache 42w REG 253,0 5852 12222531 /apachelogs/access_log (deleted)

The key word to look for here is deleted in brackets. The good news is a process (26120) still has the file open and without this process keeping the file open we would have lost the file permanently. So, with the Apache daemon helping us out we can view the missing info by looking inside the proc filesystem, the process id (26120), and finally in the file descriptor (fd):

cat /proc/26120/fd/42

This outputs the contents of my deleted access_log which shows the data is still there. All you need to do now is simply redirect the contents back to /apachelogs/access_log, like this:

cat /proc/26120/fd/42 > /apachelogs/access_log

Now you have recovered your access_log with all the data back to its original location. (You should also restart Apache). lsof can do much more, however, this is one example which could save the day.

Does anyone know any other examples of lsof?

Filed under: Linux Leave a comment
Comments (2) Trackbacks (0)
  1. When you need to recover big files (dont have enough space to copy whole file), you can use this utility:

  2. Thanks, will check that out.

Leave a comment

No trackbacks yet.