In this scenario, we are going to recover removed file in Linux OS.
for example: /data/mongodb/audit/sh0-prm-audit.log is removed.
Find the deleted file by lsof command:
[root@unixonline]# lsof | grep -i delete init 1 root 9r REG 253,7 10406312 528590 /var/lib/sss/mc/initgroups (deleted) hald 2706 haldaemon 19r REG 253,7 10406312 528593 /var/lib/sss/mc/initgroups (deleted) ntpd 2874 ntp 4r REG 253,7 10406312 528593 /var/lib/sss/mc/initgroups (deleted) mongod 5774 mongo 5w REG 253,4 33808320 68009543 /data/mongodb/audit/sh0-prm-audit.log (deleted) sssd 11026 root 16r REG 253,7 10406312 528594 /var/lib/sss/mc/initgroups (deleted) sssd_be 11027 root 19r REG 253,7 10406312 528594 /var/lib/sss/mc/initgroups (deleted) tail 57526 mongo 3r REG 253,4 0 68009559 /data/mongodb/audit/sh0-prm-audit.log (deleted)
Locate to the related PID process path:
[root@unixonline audit]# cd /proc/5774/fd/
List files to find removed file:
[root@unixonline fd]# ls -al | grep -i delete l-wx------ 1 mongo mongo 64 Sep 10 11:35 5 -> /data/mongodb/audit/sh0-prm-audit.log (deleted)
Write that process to the temporary file:
[root@unixonline fd]# cat 5 > /tmp/1
Write the recovered file to the required destination path:
[root@unixonline audit]# cat /tmp/1 > /data/mongodb/audit/sh0-prm-audit.log