linux使用lsof恢复误删除的nginx日志

1.确保nginx在运行中，以及有日志数据

[root@linux0224 ~]#  tail -f /var/log/nginx/access.log
[root@linux0224 ~]#  lsof |grep /var/log/nginx/access.log
nginx     5455                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log
nginx     5456                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log
nginx     5457                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log
nginx     5458                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log
nginx     5459                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log
[root@linux0224 ~]# 

2.删除日志文件，rm -f /var/log/nginx/access.log

[root@linux0224 ~]# rm -f /var/log/nginx/access.log
[root@linux0224 ~]# 
[root@linux0224 ~]# ll /var/log/nginx/access.log
ls: cannot access /var/log/nginx/access.log: No such file or directory
[root@linux0224 ~]# 

3.以lsof命令的帮助，恢复该日志数据
[root@linux0224 ~]# lsof --help
lsof: illegal option character: -
lsof: -e not followed by a file system path: "lp"
lsof 4.87
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
  -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)    +d s  dir s files
  -d s  select by FD set   +D D  dir D tree *SLOW?*   +|-e s  exempt s *RISKY*
  -i select IPv[46] files  -K list tasKs (threads)    -l list UID numbers
  -n no host names         -N select NFS files        -o list file offset
  -O no overhead *RISKY*   -P no port names           -R list paRent PID
  -s list file size        -t terse listing           -T disable TCP/TPI info
  -U select Unix socket    -v list version info       -V verbose search
  +|-w  Warnings (+)       -X skip TCP&UDP* files     -Z Z  context [Z]
  -- end option scan     
  +f|-f  +filesystem or -file names     +|-f[gG] flaGs 
  -F [f] select fields; -F? for help  
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
  -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m<fmt>]] repeat every t seconds (15);  + until no files, - forever.
       An optional suffix to t is m<fmt>; m must separate t from <fmt> and
      <fmt> is an strftime(3) format for the marker line.
  -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  -u s   exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names  select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.

4.再次查看文件描述符（文件名多了一个deleted被删除的标记)

[root@linux0224 ~]# lsof |grep /var/log/nginx/access.log
nginx     5455                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log (deleted)
nginx     5456                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log (deleted)
nginx     5457                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log (deleted)
nginx     5458                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log (deleted)
nginx     5459                root    5w      REG                8,3         0    2535358 /var/log/nginx/access.log (deleted)
[root@linux0224 ~]# 

5.此时进入linux中一个管理所有进程的目录，/proc，找到对应的进程id目录（父亲进程id），进入其管理文件描述符的地方

[root@linux0224 ~]# cd /proc/5455/fd
[root@linux0224 fd]# pwd
/proc/5455/fd
[root@linux0224 fd]# ll
total 0
lrwx------. 1 root root 64 Mar 23 20:26 0 -> /dev/null
lrwx------. 1 root root 64 Mar 23 20:26 1 -> /dev/null
lrwx------. 1 root root 64 Mar 23 20:26 10 -> socket:[78890]
lrwx------. 1 root root 64 Mar 23 20:26 11 -> socket:[78891]
lrwx------. 1 root root 64 Mar 23 20:26 12 -> socket:[78892]
lrwx------. 1 root root 64 Mar 23 20:26 13 -> socket:[78893]
lrwx------. 1 root root 64 Mar 23 20:26 14 -> socket:[78894]
l-wx------. 1 root root 64 Mar 23 20:26 2 -> /var/log/nginx/error.log
lrwx------. 1 root root 64 Mar 23 20:26 3 -> socket:[78887]
l-wx------. 1 root root 64 Mar 23 20:26 4 -> /var/log/nginx/error.log
l-wx------. 1 root root 64 Mar 23 20:26 5 -> /var/log/nginx/access.log (deleted)
lrwx------. 1 root root 64 Mar 23 20:26 6 -> socket:[77985]
lrwx------. 1 root root 64 Mar 23 20:26 7 -> socket:[77986]
lrwx------. 1 root root 64 Mar 23 20:26 8 -> socket:[78888]
lrwx------. 1 root root 64 Mar 23 20:26 9 -> socket:[78889]
[root@linux0224 fd]# 

6.我们看到的这个5软连接文件，就对应了刚才的access.log日志文件

[root@linux0224 fd]# cat 5

** 7.恢复此文件描述符的数据，到日志文件即可完成文件恢复**

[root@yuchao-linux01 fd]# cat 5 > /var/log/nginx/access.log

8.重启nginx即可

[root@linux0224 ~]# systemctl restart nginx
[root@linux0224 ~]#