Can I recover the file /var/log/warn that was removed?

Dear friend,

My system is Suse Linux
The disk usage of /var is 83%

df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 5.1G 557M 4.5G 11% /
udev 4.0G 2.9M 4.0G 1% /dev
/dev/sda5 2.0G 69M 1.9G 4% /home
/dev/sda8 92G 39G 48G 45% /opt
/dev/sda7 25G 2.7G 21G 12% /opt/pub/software
/dev/sda3 5.0G 1.3G 3.5G 27% /tmp
/dev/sda6 5.0G 3.9G 825M 83% /var

After checking, I found that the file /var/log/warn is so big (3.7GB)
-rw-r----- 1 root root 3.7G May 2 00:06 warn

So I tried to remove it by command “rm warn”. Then the file disappeared but the disk usage is no changed, still 83%.:frowning:
Please help support me

  • Can the /var/log/warn file be recovered?
  • if I remove that file, can it be generated automatically. I wait for some hours but it not be generated again. So I create a Null warn file but system log cannot be written there.
  • How can I release the /var partition in this case?

Thanks in advance!
Tien

Hello,

You say you use “Suse Linux”, but fail to give the version.
I get the strong idea that you you SUSE Linux Enterprise Desktop or Server. If that is the case, you are on the wrong forums. These are the openSUSE forums. The SLES/SLED forums are at https://forums.suse.com/forum.php .

On 2015-05-03 12:16, vinhtien82 wrote:

> After checking, I found that the file /var/log/warn is so big (3.7GB)

You should have investigated what it contained before removing the log.
There is something hugely wrong in that machine.

> So I tried to remove it by command “rm warn”. Then the file disappeared
> but the disk usage is no changed, still 83%.:frowning:

When you delete a file, it is not actually deleted if something opened
it before, and did not close. lsof might tell you what. As a last
resource, reboot.

Besides that, if you are using btrfs, you need to clear the snapshots.

> Please help support me
> - Can the /var/log/warn file be recovered?

You mean undeleted? Not that I know. In theory yes, because something
has it. But I don’t know how it could be done.

But if you are using btrfs, it is trivial.

> - if I remove that file, can it be generated automatically.

Of course it is. Eventually, when syslog writes a new entry.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

The content of file can be recovered as long as it is kept open. Most likely it is some syslog process; so find its PID and check /proc/PID/fd/ for link to /var/log/warn that says “(deleted)”. Then you can copy content using this name. But then you need additional space somewhere …

bor@opensuse:~> LC_ALL=C ll /tmp/foo
ls: cannot access /tmp/foo: No such file or directory
bor@opensuse:~> LC_ALL=C ll /proc/1088/fd/
total 0
lr-x------ 1 bor bor 64 May  3 22:26 0 -> /tmp/foo (deleted)
lrwx------ 1 bor bor 64 May  3 22:26 1 -> /dev/pts/1
lrwx------ 1 bor bor 64 May  3 22:26 2 -> /dev/pts/1
bor@opensuse:~> cat /proc/1088/fd/0
foo
bor@opensuse:~> cp /proc/1088/fd/0 /tmp/bar
bor@opensuse:~> cat /tmp/bar
foo

On 2015-05-03 21:36, arvidjaar wrote:

> The content of file can be recovered as long as it is kept open. Most
> likely it is some syslog process; so find its PID and check
> /proc/-PID-/fd/ for link to /var/log/warn that says “(deleted)”. Then
> you can copy content using this name. But then you need additional space
> somewhere …

Interesting! Thanks. :slight_smile:


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

If the question is how to reclaim the space covered by the file, you may want to send a HUP signal to rsyslogd to tell it to close the files it usually keeps open until restarted.

kill -HUP $(cat /var/run/rsyslogd.pid)