Re: Deleted auth.log
On Sat, 3 Dec 2005 10:58 am, Marcello Di Marino Azevedo wrote:
> fuser - identify processes using files or sockets.
> debian:/var/log# fuser syslog
> syslog: 3407
> debian:/var/log# fuser -u syslog
> syslog: 3407(root)
Yes, it identifies processes _using_ files or sockets.
In other words, knowing the file or socket is a prerequisite for identifying
What if you've deleted the file in question, but said process still has it
open? How can you then identify which processes are using the deleted file -
despite no-longer having the entry available.
> Em Sáb, 2005-12-03 às 09:50 +1100, Arafangion escreveu:
> > On Sat, 3 Dec 2005 10:42 am, René Seindal wrote:
> > > Roberto C. Sanchez wrote (03-12-2005 00:34):
> > <snip>
> > > > That is because, although auth.log is gone, any file descriptors that
> > > > were open to it are still available. Thus, until all the file
> > > > descriptors have also been released, the file still "exists." If you
> > > > are not certain of which applications on your system normally write
> > > > to auth.log, your best option may be a reboot.
> > This leads to an interesting question - are there any tools that can
> > reveal "lost" files - those who no-longer have an entry in the fs, but
> > are still open?
> > I would imagine that certain sockets and temp files would fall in this
> > category.