Re: Deleted auth.log
On Sat, 3 Dec 2005 10:58 am, Marcello Di Marino Azevedo wrote:
> fuser - identify processes using files or sockets.
>
> debian:/var/log# fuser syslog
> syslog: 3407
> debian:/var/log# fuser -u syslog
> syslog: 3407(root)
Yes, it identifies processes _using_ files or sockets.
In other words, knowing the file or socket is a prerequisite for identifying
the process.
What if you've deleted the file in question, but said process still has it
open? How can you then identify which processes are using the deleted file -
despite no-longer having the entry available.
>
> Em Sáb, 2005-12-03 às 09:50 +1100, Arafangion escreveu:
> > On Sat, 3 Dec 2005 10:42 am, René Seindal wrote:
> > > Roberto C. Sanchez wrote (03-12-2005 00:34):
> >
> > <snip>
> >
> > > > That is because, although auth.log is gone, any file descriptors that
> > > > were open to it are still available. Thus, until all the file
> > > > descriptors have also been released, the file still "exists." If you
> > > > are not certain of which applications on your system normally write
> > > > to auth.log, your best option may be a reboot.
> >
> > This leads to an interesting question - are there any tools that can
> > reveal "lost" files - those who no-longer have an entry in the fs, but
> > are still open?
> >
> > I would imagine that certain sockets and temp files would fall in this
> > category.
Reply to: