前言：inode（文件節(jié)點）與block（數(shù)據(jù)塊）硬鏈接與軟連接恢復誤刪除的文件 （即rm-rf?的操作，可以先進行備份的操作，然后可以進行恢復ext4和xfs文件系統(tǒng)皆可）日志文件的分類用戶日志與程序日志一 ：inode和block概述1.1?概述文件數(shù)據(jù)包括元信息與實際數(shù)據(jù)文件存儲在硬盤上，硬盤最小存儲單位是“扇區(qū)”，每個扇區(qū)儲存512字節(jié)block（塊）連續(xù)的八個扇區(qū)組成一個block,一個block單位是4k是文件存取的最小單位inode（索引節(jié)點）中文譯名“索引節(jié)點”，也叫i節(jié)點用于存儲文件元信息元信息>>>>>>>inode?
數(shù)據(jù)>>>>>>>>>block?
一個文件必須占用一個inode，但至少占用一個block?
對于磁盤而言，物理層面一個單元的表示形式是扇區(qū)?
??????????邏輯層面一個單元的表示形式是單元格?
刪除文件刪的是文件名，而不是block和inode，一個文件名對應一個inode；當一個新文件的重新寫入磁盤，覆蓋到被刪除文件的block時，才意味著文件的實際刪除，所以當誤刪文件時，第一件事就是不要再在磁盤寫入文件，通過數(shù)據(jù)恢復有可能找回到誤刪文件?
1.2 inode的內(nèi)容inode包含文件的元信息?
文件的字節(jié)數(shù)文件擁有者（屬主）的UID文件的GID文件的讀寫執(zhí)行權(quán)限文件的時間戳備注：不包含文件名用stat命令可以查看某個文件的inode信息；ls -i也可以查看inode號碼示例：stat aa.txtlinux系統(tǒng)文件時間戳的三個主要的時間屬性?
ctime（change time）：最后一次改變文件或目錄（屬性即inode）的時間atime（access time）：最后一次訪問文件或目錄的時間mtime（modify time）：最后一次修改文件或目錄（內(nèi)容即block）的時間目錄文件的結(jié)構(gòu)?
目錄也是一種文件目錄文件的結(jié)構(gòu)一個文件名對應一個inode號碼，兩個字段成為一行，一行稱為一個目錄項每個inode都有一個號碼，操作系統(tǒng)用inode號碼來識別不同的文件?
linux系統(tǒng)內(nèi)部不使用文件名，而是用inode號碼來識別文件?
對于用戶來說，文件名只是inode號碼便于識別的別稱，即系統(tǒng)識別文件的inode號碼，用戶識別文件的文件名?
1.3用戶通過文件名打開文件，系統(tǒng)內(nèi)部執(zhí)行過程用戶通過文件名打開文件時，系統(tǒng)內(nèi)部的過程步驟（這個過程比較重要）：?
1.系統(tǒng)找到這個文件對應的inode號碼2.通過inode號碼，獲取inode信息，即元信息3.根據(jù)inode信息，找到文件數(shù)據(jù)所在的block，讀出數(shù)據(jù)查看inode號碼的方法ls -i命令：查看文件名對應的inode號碼ls -i AA.txtstat命令：查看文件inode信息，信息中包含inode號碼stat AA.txt[root@localhost ~]# cd /opt [root@localhost opt]# lsrh[root@localhost opt]# touch abc.txt[root@localhost opt]# vim abc.txt [root@localhost opt]# ls -i '查看元信息'35889299 abc.txt ??1420654 rh[root@localhost opt]# stat abc.txt ?''查看文件詳細元信息 ?文件："abc.txt" ?大?。?3 ????????塊：8 ?????????IO?塊：4096 ??普通文件設備：fd00h/64768d Inode：35889299 ???硬鏈接：1權(quán)限：(0644/-rw-r--r--) ?Uid：( ???0/ ???root) ??Gid：( ???0/ ???root)環(huán)境：unconfined_u:object_r:usr_t:s0最近訪問：2019-11-16 17:57:53.373111661 +0800最近更改：2019-11-16 17:57:53.373111661 +0800最近改動：2019-11-16 17:57:53.375111659 +0800創(chuàng)建時間：-[root@localhost opt]# df -i '查看掛載點元信息'文件系統(tǒng) ??????????????????Inode?已用(I) ?可用(I)?已用(I)%?掛載點/dev/mapper/centos-root 10485760 ?125297 10360463 ??????2% /devtmpfs ?????????????????250006 ????386 ??249620 ??????1% /devtmpfs ????????????????????253986 ??????1 ??253985 ??????1% /dev/shmtmpfs ????????????????????253986 ????620 ??253366 ??????1% /runtmpfs ????????????????????253986 ?????16 ??253970 ??????1% /sys/fs/cgroup/dev/sda1 ???????????????3145728 ????328 ?3145400 ??????1% /boot/dev/mapper/centos-home ?5242880 ????286 ?5242594 ??????1% /hometmpfs ????????????????????253986 ??????9 ??253977 ??????1% /run/user/42tmpfs ????????????????????253986 ?????16 ??253970 ??????1% /run/user/0/dev/sr0 ??????????????????????0 ??????0 ???????0 ???????- /run/media/root/CentOS 7 x86_64tmpfs ????????????????????253986 ?????16 ??253970 ??????1% /run/user/1000//192.168.254.10/linuxs ???????0 ??????0 ???????0 ???????- /aaainnode?從一定意義上可以代表有多少個文件?
全盤恢復數(shù)據(jù)原理：即在文件名誤刪的情況下，去直接掃描inode和block信息?
1.4 inode的大小inode也會消耗硬盤空間，每個inode的大小，一般是128字節(jié)或256字節(jié)格式化文件系統(tǒng)時確定inode的總數(shù)使用df -i命令可以查看每個硬盤分區(qū)的inode總數(shù)和已經(jīng)使用的數(shù)量1.5 inode的特殊作用由于inode號碼與文件名分離，導致一些Unix/Linux系統(tǒng)具有以下的現(xiàn)象當文件名包含特殊字符，可能無法正常刪除文件，直接刪除inode，也可以刪除文件移動或重命名文件時，只改變文件名，不影響inode號碼打開一個文件后，系統(tǒng)通過inode號碼來識別該文件，不再考慮文件名1.6?鏈接文件為文件或目錄建立鏈接文件文件類型軟連接（符號鏈接）硬鏈接刪除原始文件（即文件名）后失效仍舊可用適用范圍適用于文件或目錄只可用于文件保存位置與原始文件可以位于不同的文件系統(tǒng)中必須與原始文件在同一個文件系統(tǒng)（xfs系統(tǒng)，或者ext4等）中，如一個Linux分區(qū)內(nèi)硬鏈接命令ln?源文件 目標位置軟連接命令ln -s?源文件或目錄..?鏈接文件或目標位置 ?????????-s?即soft二、文件恢復2.1恢復EXT類型的文件編譯安裝extundelete軟件包安裝依賴包e2fsprogs-libs-1.41.12-18.el6.x86_64.rpme2fsprogs-devel-1.41.12-18.el6.x86_64.rpm配置、編譯及安裝extundelete-0.2.4.tar.bz2模擬刪除并執(zhí)行恢復操作extundelete軟件包只能在centos-6或者centos-5使用，因為centos-6的默認文件系統(tǒng)類型是ext4，centos-5的默認文件類型是ext3?
2.2?恢復XFS類型的文件xfsdump命令格式xfsdump -f?備份存放位置 ???要備份的路徑或者設備文件xfsdump備份級別（默認為0）0：完全備份1-9：增量備份xfsdump常用選項：xfsdump --helpxfsdump——幫助xfsdump: version 3.1.4 (dump format 3.0)xfsdump:版本3.1.4(轉(zhuǎn)儲格式3.0)xfsdump: usage: xfsdump [ -a (dump DMF dualstate files as offline) ]xfsdump:用法:xfsdump[-(轉(zhuǎn)儲DMF雙狀態(tài)文件為離線)][ -b <blocksize> ][-b <塊大小>][ -c <media change alert program> ][-c <媒體變更警報程序>][ -d <dump media file size> ][-d <轉(zhuǎn)儲媒體文件大小>][ -e (allow files to be excluded) ][-e(允許文件被排除)][ -f <destination> ...[-f <目的>…]]][ -h (help) ][-h(幫助)][ -l <level> ][-l <level>][ -m (force usage of minimal rmt) ][-m(最低rmt的武力使用)][ -o (overwrite tape) ][-o(覆寫帶)][ -p <seconds between progress reports> ][-p < >進度報告之間的秒數(shù)][ -q <use QIC tape settings> ][-q <使用QIC磁帶設置>][ -s <subtree> ...[-s <子樹>…]]][ -t <file> (use file mtime for dump time ][-t <文件>(使用文件mtime作為轉(zhuǎn)儲時間)][ -v <verbosity {silent, verbose, trace}> ][-v <verbosity {silent, verbose, trace}>][ -z <maximum file size> ][-z <最大文件大小>][ -A (don't dump extended file attributes) ][-(不要轉(zhuǎn)儲擴展文件屬性)][ -B <base dump session id> ][-B <基本轉(zhuǎn)儲會話id>][ -D (skip unchanged directories) ][-D(跳過未更改的目錄)][ -E (pre-erase media) ][-E(預刪除媒體)][ -F (don't prompt) ][-F(不要提示)][ -I (display dump inventory) ][-I(顯示轉(zhuǎn)儲庫存)][ -J (inhibit inventory update) ][-J(禁止存貨更新)][ -K (generate format 2 dump) ][-K(生成格式2轉(zhuǎn)儲)][ -L <session label> ][-L <會話標簽>][ -M <media label> ...[-M <媒體標簽>…]]][ -O <options file> ][-O <選項文件>][ -R (resume) ][-R(簡歷)][ -T (don't timeout dialogs) ][-T(不要超時對話框)][ -Y <I/O buffer ring length> ][-Y <I/O緩沖環(huán)長度>][ - (stdout) ][-(標準版)][ <source (mntpnt|device)> ][<源(mntpnt|設備)>]xfsrestore命令格式（恢復命令）：xfsrestore -f?恢復文件的位置 ?存放恢復后文件的位置模擬刪除并執(zhí)行恢復操作備注：必須要先使用xfsdump先備份，才能再用xfsrestore去恢復文件2.3 xfsdump使用限制只能備份已掛載的文件系統(tǒng)必須使用root的權(quán)限才能操作只能備份XFS文件系統(tǒng),即只能在centos7以及以上的系統(tǒng)中才能使用備份后的數(shù)據(jù)只能讓xfsrestore解析不能備份兩個具有相同UUID的文件系統(tǒng)三、日志文件3.1?日志的功能用于記錄系統(tǒng)、程序運行中發(fā)生的各種事件通過閱讀日志，有助于診斷和解決系統(tǒng)故障3.2?日志文件的分類內(nèi)核及系統(tǒng)日志（服務日志，放在/var/log）?
由系統(tǒng)服務syslog統(tǒng)一進行管理，日志格式基本相似用戶日志?
記錄系統(tǒng)用戶登陸及退出系統(tǒng)的相關(guān)信息程序日志?
由各種應用程序獨立管理的日志文件，記錄格式不統(tǒng)一程序日志只在程序第一次運行的時候才會產(chǎn)生[root@localhost opt]# cd /var/log '切換到日志文件目錄'[root@localhost log]# lsanaconda ??????????dmesg ??????????????messages ?speech-dispatcher ??????wpa_supplicant.logaudit ?????????????dmesg.old ??????????ntpstats ?spooler ????????????????wtmpboot.log ??????????firewalld ??????????pluto ????sssd ???????????????????Xorg.0.logboot.log-20191115 ?gdm ????????????????ppp ??????sudo ???????????????????Xorg.0.log.oldboot.log-20191116 ?glusterfs ??????????qemu-ga ??tallylog ???????????????Xorg.1.logbtmp ??????????????grubby_prune_debug ?rhsm ?????tuned ??????????????????Xorg.1.log.oldchrony ????????????lastlog ????????????sa ???????vmware-vgauthsvc.log.0 ?Xorg.2.logcron ??????????????libvirt ????????????samba ????vmware-vmsvc.log ???????Xorg.9.logcups ??????????????maillog ????????????secure ???vmware-vmusr.log ???????yum.log[root@localhost log]# rpm -q httpd ???'查看程序是否安裝'未安裝軟件包?httpd [root@localhost log]# yum install httpd -y已安裝:httpd.x86_64 0:2.4.6-90.el7.centos ?????????????????????????????????????????????????????????????????????作為依賴被安裝:apr.x86_64 0:1.4.8-5.el7 ??????apr-util.x86_64 0:1.5.2-6.el7 ?httpd-tools.x86_64 0:2.4.6-90.el7.centos mailcap.noarch 0:2.1.41-2.el7?完畢！[root@localhost log]# lsanaconda ??????????dmesg.old ??????????ntpstats ??????????sssd ???????????????????Xorg.0.log.oldaudit ?????????????firewalld ??????????pluto ?????????????sudo ???????????????????Xorg.1.logboot.log ??????????gdm ????????????????ppp ???????????????tallylog ???????????????Xorg.1.log.oldboot.log-20191115 ?glusterfs ??????????qemu-ga ???????????tuned ??????????????????Xorg.2.logboot.log-20191116 ?grubby_prune_debug ?rhsm ??????????????vmware-vgauthsvc.log.0 ?Xorg.9.logbtmp ??????????????'httpd' ??????????????sa ????????????????vmware-vmsvc.log ???????yum.logchrony ????????????lastlog ????????????samba ?????????????vmware-vmusr.logcron ??????????????libvirt ????????????secure ????????????wpa_supplicant.logcups ??????????????maillog ????????????speech-dispatcher ?wtmpdmesg ?????????????messages ???????????spooler ???????????Xorg.0.log[root@localhost log]# cd httpd/[root@localhost httpd]# ls ???'此時httpd沒有日志文件'[root@localhost httpd]# [root@localhost httpd]# systemctl start httpd.service ????'開啟httpd'[root@localhost httpd]# lsaccess_log ?error_log '出現(xiàn)日志文件'[root@localhost httpd]# [root@localhost httpd]# cat access_log ???'查看訪問日志'[root@localhost httpd]#[root@localhost httpd]# cat error_log ????'查看錯誤日志'[Sat Nov 16 20:43:17.040961 2019] [core:notice] [pid 14701] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0[Sat Nov 16 20:43:17.041673 2019] [suexec:notice] [pid 14701] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message[Sat Nov 16 20:43:17.049635 2019] [lbmethod_heartbeat:notice] [pid 14701] AH02282: No slotmem from mod_heartmonitor[Sat Nov 16 20:43:17.071383 2019] [mpm_prefork:notice] [pid 14701] AH00163: Apache/2.4.6 (CentOS) configured -- resuming normal operations[Sat Nov 16 20:43:17.071420 2019] [core:notice] [pid 14701] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'[root@localhost httpd]# systemctl stop firewalld.service ?'關(guān)閉防火墻'[root@localhost httpd]# setenforce 0 ?[root@localhost httpd]# [root@localhost httpd]# ifconfigens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> ?mtu 1500 ?????inet 192.168.139.153 ?netmask 255.255.255.0 ?broadcast 192.168.139.255 ?????inet6 fe80::413b:c9ad:e0e:1afc ?prefixlen 64 ?scopeid 0x20<link> ?????ether 00:0c:29:d6:c0:8a ?txqueuelen 1000 ?(Ethernet) ?????RX packets 291080 ?bytes 77990464 (74.3 MiB) ?????RX errors 0 ?dropped 0 ?overruns 0 ?frame 0 ?????TX packets 327629 ?bytes 19778549 (18.8 MiB) ?????TX errors 0 ?dropped 0 overruns 0 ?carrier 0 ?collisions 0[root@localhost httpd]# cat access_log '再次查看訪問日志，有記錄了'192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /noindex/css/bootstrap.min.css HTTP/1.1" 200 19341 "http://192.168.139.153/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /noindex/css/open-sans.css HTTP/1.1" 200 5081 "http://192.168.139.153/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /images/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.139.153/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /images/poweredby.png HTTP/1.1" 200 3956 "http://192.168.139.153/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://192.168.139.153/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://192.168.139.153/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /favicon.ico HTTP/1.1" 404 209 "http://192.168.139.153/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://192.168.139.153/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"192.168.139.1 - - [16/Nov/2019:20:49:35 +0800] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://192.168.139.153/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) appleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36"::1 - - [16/Nov/2019:20:49:43 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"::1 - - [16/Nov/2019:20:49:44 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache/2.4.6 (CentOS) (internal dummy connection)"3.3?日志保存位置默認位于：/var/log?目錄下除非使用手動編譯安裝，可以去指定路徑3.4?主要日志文件介紹內(nèi)核及公共消息日志/var/log/messages計劃任務日志/var/long/cron系統(tǒng)引導日志/var/log/dmesg郵件系統(tǒng)日志/var/log/maillog用戶登錄日志/var/log中的lastlog|secure|wtmp|btmp四、內(nèi)核及系統(tǒng)日志4.1?由系統(tǒng)服務?rsyslogd?統(tǒng)一管理軟件包：?rsyslog-7.4.7-16.el7.x86_64主要程序：?/sbin/rsyslogd配置文件：?/etc/rsyslog.conf4.2?日志消息的級別級別嚴重程度解釋0EMERG（緊急）會導致主機系統(tǒng)不可用的情況（基本上已經(jīng)沒得救了，開機都開不了，服務器癱瘓這樣的嚴重程度）1ALERT（警告）必須馬上采取措施解決的問題（兵臨城下，需要立刻解決的）2CRIT（嚴重）比較嚴重的情況（嚴重的錯誤，比如需要重新安裝服務）3ERR（錯誤）運行出現(xiàn)錯誤（一般級別都設置在這個位置）4WARNING（提醒）可能會影響系統(tǒng)功能的事件（勤快的都設置在這）5NOTICE（注意）不會影響系統(tǒng)但值得注意6INFO（信息）一般信息7DEBUG（調(diào)試）程序或系統(tǒng)調(diào)試信息等（做測試使用這個級別）五、 用戶日志分析5.1?保存了用戶登錄、退出系統(tǒng)等相關(guān)信息/var/log/lastlog：最近的用戶登錄事件/var/log/wtmp：用戶登錄、注銷及系統(tǒng)開、關(guān)機事件/var/run/utmp：當前登錄的每個用戶的詳細信息/var/log/secure：與用戶驗證相關(guān)的安全性事件5.2?分析的工具users： ???users [選項]... [文件]?
<br/>根據(jù)文件判斷輸出當前有誰正登錄在系統(tǒng)上。 ??????????如果文件未予指定，則使用/var/run/utmp，/var/log/wtmp?是通用的相關(guān)文件。?
who： ?who [選項]... [?文件?|?參數(shù)1?參數(shù)2 ]?
顯示當前已登錄的用戶信息。 ?????????-a, --all ???????等于-b -d --login -p -r -t -T -u?選項的組合?
?????????-b, --boot ??????上次系統(tǒng)啟動時間?
?????????-d, --dead ??????顯示已死的進程?
????????-H, --heading?輸出頭部的標題列?
?????????-l，--login ??????顯示系統(tǒng)登錄進程?
???????????????--lookup ??????嘗試通過?DNS?查驗主機名?
????????-m ???????????只面對和標準輸入有直接交互的主機和用戶?
????????-p, --process?顯示由?init?進程衍生的活動進程?
????????-q, --count ??????列出所有已登錄用戶的登錄名與用戶數(shù)量?
?????????-r, --runlevel ??顯示當前的運行級別?
????????-s, --short ??????只顯示名稱、線路和時間(默認)?
???????-T, -w, --mesg?用+，-?或???標注用戶消息狀態(tài)?
???????-u, --users ???????列出已登錄的用戶?
????????--message?等于-T?
?????????--writable ??等于-T?
?????????--help ??????顯示此幫助信息并退出?
?????????--version ???????顯示版本信息并退出?
w： 顯示已經(jīng)登錄的用戶以及他們在做什么?
last：顯示最近登錄的用戶列表?
lastb：顯示最近嘗試登陸但未登陸上的用戶列表[root@localhost httpd]# lastroot ????pts/0 ???????:0 ??????????????Sat Nov 16 17:57 ??still logged in ??gsy ?????:1 ??????????:1 ??????????????Fri Nov 15 09:45 ??still logged in ??root ????pts/0 ???????:0 ??????????????Fri Nov 15 09:30 - 17:56 (1+08:26) ??root ????:0 ??????????:0 ??????????????Fri Nov 15 09:29 ??still logged in ??reboot ??system boot ?3.10.0-693.el7.x Fri Nov 15 09:20 - 20:58 (1+11:38) ??root ????pts/0 ???????:0 ??????????????Fri Nov 15 08:50 - 09:19 ?(00:28) ???root ????:0 ??????????:0 ??????????????Fri Nov 15 08:50 - down ??(00:29) ???reboot ??system boot ?3.10.0-693.el7.x Fri Nov 15 08:49 - 09:19 ?(00:29) ???root ????pts/0 ???????:0 ??????????????Fri Nov 15 08:32 - 08:47 ?(00:14) ???root ????:0 ??????????:0 ??????????????Fri Nov 15 08:32 - crash ?(00:16) ???reboot ??system boot ?3.10.0-693.el7.x Fri Nov 15 08:31 - 09:19 ?(00:47) ???reboot ??system boot ?3.10.0-693.el7.x Thu Nov 14 20:18 - 08:24 ?(12:06) ???root ????pts/0 ???????:0 ??????????????Thu Nov 14 19:46 - 20:17 ?(00:31) ???root ????:0 ??????????:0 ??????????????Thu Nov 14 19:46 - down ??(00:31) ???reboot ??system boot ?3.10.0-693.el7.x Thu Nov 14 19:45 - 20:17 ?(00:32) ???root ????pts/1 ???????:1 ??????????????Thu Nov 14 19:11 - 19:42 ?(00:31) ???root ????:1 ??????????:1 ??????????????Thu Nov 14 19:10 - crash ?(00:34) ???gsy ?????pts/1 ???????:0 ??????????????Thu Nov 14 17:33 - 17:33 ?(00:00) ???gsy ?????pts/0 ???????:0 ??????????????Thu Nov 14 17:26 - 19:42 ?(02:15) ???gsy ?????pts/0 ???????:0 ??????????????Fri Nov ?1 08:58 - 08:59 ?(00:00) ???gsy ?????pts/0 ???????:0 ??????????????Wed Oct 23 13:46 - 13:46 ?(00:00) ???gsy ?????:0 ??????????:0 ??????????????Wed Oct 23 13:44 - crash (22+06:00) ?reboot ??system boot ?3.10.0-693.el7.x Wed Oct 23 13:42 - 20:17 (22+06:35) ?wtmp begins Wed Oct 23 13:42:11 20195.4?由相應的應用程序獨立進行管理Web服務：/var/log/httpd/access_log、error_log代理服務：/var/log/squid/access/log、cacge.logFTP服務：/var/log/xferlog5.5?分析的工具文本查看、grep過濾檢測、Webmin管理套件中查看awk、swd等文本過濾、格式化編輯工具Webalizer、Awstats（圖形化）等專用日志分析的工具?5.6?日志管理策略及時做好備份和歸檔延長日志保存期限控制日志訪問權(quán)限日志中可能會包含各類敏感信息，如賬戶、口令等集中管理日志將服務器的日志文件發(fā)送到統(tǒng)一的日志文件服務器便于日志信息的統(tǒng)一收集、整理和分析杜絕日志信息的意外丟失、惡意篡改或刪除集中管理日志使用分布式存儲的話會使用GFS或MFS日志文件的作用：可以用來判斷服務器是否故障、用于備份的作用?
小結(jié)：?
block與iinode硬鏈接與軟連接恢復誤刪除的文件Linux主要包含的日志文件Linux系統(tǒng)的日志消息級別Linux系統(tǒng)中用戶日志的查詢命令who、w、users、last、lastb六、實驗驗證磁盤數(shù)據(jù)恢復6.1：xfs?恢復新加一塊磁盤?
[root@localhost ~]# init 6 ?'關(guān)機重啟'[root@localhost ~]# fdisk /dev/sdb ?'給磁盤分區(qū)'[root@localhost ~]# mkfs.xfs /dev/sdb1 ?'格式化磁盤'meta-data=/dev/sdb1 ?????????????isize=512 ???agcount=4, agsize=1310656 blks ????????= ??????????????????????sectsz=512 ??attr=2, projid32bit=1 ????????= ??????????????????????crc=1 ???????finobt=0, sparse=0data ????= ??????????????????????bsize=4096 ??blocks=5242624, imaxpct=25 ????????= ??????????????????????sunit=0 ?????swidth=0 blksnaming ??=version 2 ?????????????bsize=4096 ??ascii-ci=0 ftype=1log ?????=internal log ??????????bsize=4096 ??blocks=2560, version=2 ????????= ??????????????????????sectsz=512 ??sunit=0 blks, lazy-count=1realtime =none ??????????????????extsz=4096 ??blocks=0, rtextents=0[root@localhost ~]# mkdir /ceshi ???'創(chuàng)建測試掛載點'[root@localhost ~]# vim /etc/fstab ?'編輯掛載點配置文件'/dev/mapper/centos-swap swap ???????????????????swap ???defaults ???????0 0/dev/sdb1 ??????/ceshi ?xfs ????defaults ???????0 ??????0：wq[root@localhost ~]# mount -a ???'重新掛載'[root@localhost ~]# df -Th ?'查看'文件系統(tǒng) ???????????????類型 ?????容量 ?已用 ?可用 已用%?掛載點/dev/mapper/centos-root xfs ???????20G ?4.5G ??16G ??23% /devtmpfs ???????????????devtmpfs ?977M ????0 ?977M ???0% /devtmpfs ??????????????????tmpfs ????993M ????0 ?993M ???0% /dev/shmtmpfs ??????????????????tmpfs ????993M ?9.0M ?984M ???1% /runtmpfs ??????????????????tmpfs ????993M ????0 ?993M ???0% /sys/fs/cgroup/dev/sda1 ??????????????xfs ??????6.0G ?161M ?5.9G ???3% /boot/dev/mapper/centos-home xfs ???????10G ??57M ??10G ???1% /hometmpfs ??????????????????tmpfs ????199M ?4.0K ?199M ???1% /run/user/42tmpfs ??????????????????tmpfs ????199M ??20K ?199M ???1% /run/user/0/dev/sr0 ???????????????iso9660 ??4.3G ?4.3G ????0 ?100% /run/media/root/CentOS 7 x86_64/dev/sdb1 ??????????????xfs ???????20G ??33M ??20G ???1% /ceshi '已掛載上'[root@localhost ~]# cd /ceshi ??'切換到測試掛載點'[root@localhost ceshi]# cp /etc/passwd /etc/shadow ./ ??'復制賬號文件到/ceshi下'[root@localhost ceshi]# lspasswd ?shadow[root@localhost ceshi]# mkdir test ?'創(chuàng)建一個test目錄'[root@localhost ceshi]# mv sh* test '把shadow移動到test內(nèi)'[root@localhost ceshi]# lspasswd ?test[root@localhost ceshi]# ls testshadow[root@localhost ceshi]# xfsdump -f /opt/xfs_dump /ceshi '備份文件到/opt/下，名為xfs_dump'xfsdump: using file dump (drive_simple) strategyxfsdump: version 3.1.4 (dump format 3.0) - type ^C for status and control ============================= dump label dialog ==============================please enter label for this dump session (timeout in 300 sec) -> xfs_dumpsession label entered: "xfs_dump" ??'輸入會話標簽為xfs_dump' --------------------------------- end dialog ---------------------------------xfsdump: level 0 dump of localhost.localdomain:/ceshixfsdump: dump date: Sat Nov 16 21:50:26 2019xfsdump: session id: c175a633-fd65-433f-ac2e-a1a18ae5f686xfsdump: session label: "xfs_dump"xfsdump: ino map phase 1: constructing initial dump listxfsdump: ino map phase 2: skipping (no pruning necessary)xfsdump: ino map phase 3: skipping (only one dump stream)xfsdump: ino map construction completexfsdump: estimated dump size: 29952 bytesxfsdump: /var/lib/xfsdump/inventory created ============================= media label dialog =============================please enter label for media in drive 0 (timeout in 300 sec) -> /ceshimedia label entered: "/ceshi" ??'輸入媒體標簽' --------------------------------- end dialog ---------------------------------xfsdump: creating dump session media file 0 (media 0, file 0)xfsdump: dumping ino mapxfsdump: dumping directoriesxfsdump: dumping non-directory filesxfsdump: ending media filexfsdump: media file size 27128 bytesxfsdump: dump size (non-dir files) : 4160 bytesxfsdump: dump complete: 62 seconds elapsedxfsdump: Dump Summary:xfsdump: ??stream 0 /opt/xfs_dump OK (success)xfsdump: Dump Status: SUCCESS ??'反饋成功'[root@localhost ceshi]# ls /opt/abc.txt ?rh ?xfs_dump ??'備份文件已做好'[root@localhost ceshi]# rm -fr * ???'刪掉源文件'[root@localhost ceshi]# ls[root@localhost ceshi]# xfsrestore -f /opt/xfs_dump /ceshi ?'把在/opt/下面的備份文件xfs_dump還原'xfsrestore: using file dump (drive_simple) strategyxfsrestore: version 3.1.4 (dump format 3.0) - type ^C for status and controlxfsrestore: searching media for dumpxfsrestore: examining media file 0xfsrestore: dump description: xfsrestore: hostname: localhost.localdomainxfsrestore: mount point: /ceshixfsrestore: volume: /dev/sdb1xfsrestore: session time: Sat Nov 16 21:50:26 2019xfsrestore: level: 0xfsrestore: session label: "xfs_dump"xfsrestore: media label: "/ceshi"xfsrestore: file system id: 30939ae0-e0df-4561-b8bc-fc4ebe99c7f2xfsrestore: session id: c175a633-fd65-433f-ac2e-a1a18ae5f686xfsrestore: media id: c4244361-30d3-4df5-9197-e6712eb8d8bdxfsrestore: using online session inventoryxfsrestore: searching media for directory dumpxfsrestore: reading directoriesxfsrestore: 2 directories and 3 entries processedxfsrestore: directory post-processingxfsrestore: restoring non-directory filesxfsrestore: restore complete: 0 seconds elapsedxfsrestore: Restore Summary:xfsrestore: ??stream 0 /opt/xfs_dump OK (success)xfsrestore: Restore Status: SUCCESS ????'反饋成功'[root@localhost ceshi]# lspasswd ?test ???????'查看發(fā)現(xiàn)存在'[root@localhost ceshi]# 6.2 EXT4?文件恢復新加一塊磁盤?
[root@gsy ~]# df -Th ???'查看yum私有倉庫是否掛載'Filesystem ?????????????Type ????Size ?Used Avail Use% Mounted on/dev/sda2 ??????????????ext4 ?????20G ?3.2G ??16G ?18% /tmpfs ??????????????????tmpfs ???996M ?224K ?996M ??1% /dev/shm/dev/sda1 ??????????????ext4 ????5.8G ?168M ?5.4G ??3% /boot/dev/sda3 ??????????????ext4 ????9.7G ?150M ?9.0G ??2% /home/dev/sr0 ???????????????iso9660 ?3.6G ?3.6G ????0 100% /media/RHEL_6.5 x86_64 Disc 1//192.168.254.10/linuxs cifs ????455G ??90G ?366G ?20% /linuxs/dev/sr0 ???????????????iso9660 ?3.6G ?3.6G ????0 100% /yumcangku[root@gsy Packages]# rpm -ivh e2fsprogs-libs-1.41.12-18.el6.x86_64.rpm ?'安裝環(huán)境包'warning: e2fsprogs-libs-1.41.12-18.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEYPreparing... ???????????????########################################### [100%] ???package e2fsprogs-libs-1.41.12-18.el6.x86_64 is already installed[root@gsy Packages]# rpm -ivh libcom_err-devel-1.41.12-18.el6.x86_64.rpm warning: libcom_err-devel-1.41.12-18.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEYPreparing... ???????????????########################################### [100%] ???package libcom_err-devel-1.41.12-18.el6.x86_64 is already installed[root@gsy Packages]# rpm -ivh e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm warning: e2fsprogs-devel-1.41.12-18.el6.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEYPreparing... ???????????????########################################### [100%] ???package e2fsprogs-devel-1.41.12-18.el6.x86_64 is already installed[root@gsy Packages]# mkdir /linuxs ?'創(chuàng)建掛載點'[root@gsy Packages]# mount //192.168.254.10/linuxs /linuxs ?'源地址是我的共享文件夾，想知道如何配置共享文件夾可以去看我的博客，我會在評論中附上對應博客地址'[root@gsy Packages]# cd /linuxs[root@gsy linuxs]# lsapr-1.4.6.tar.gz ??????extundelete-0.2.4.tar.bz2 ?john-1.8.0.tar.gzapr-util-1.4.1.tar.gz ?httpd-2.4.2.tar.gz[root@gsy linuxs]# tar xjvf extundelete-0.2.4.tar.bz2 ?-C /mnt ?'解壓extundelete'[root@gsy linuxs]# cd /mnt[root@gsy mnt]# lsextundelete-0.2.4[root@gsy mnt]# cd extundelete-0.2.4/ ??'切換到解壓包內(nèi)'[root@gsy extundelete-0.2.4]# lsacinclude.m4 ?config.h ????config.status ?depcomp ????Makefile ????missing ?stamp-h2aclocal.m4 ???config.h.in ?configure ?????install-sh ?Makefile.am ?READMEautogen.sh ???config.log ??configure.ac ??LICENSE ????Makefile.in ?src[root@gsy extundelete-0.2.4]# yum install gcc gcc-c++ -y ???'安裝手工編譯安裝工具'[root@gsy extundelete-0.2.4]# ./configure ??'配置'Configuring extundelete 0.2.4Writing generated files to disk[root@gsy extundelete-0.2.4]# make ?make -s all-recursiveMaking all in src[root@gsy extundelete-0.2.4]# make install ?'編譯'Making install in src ?/usr/bin/install -c extundelete '/usr/local/bin'[root@gsy extundelete-0.2.4]# fdisk /dev/sdb ???'創(chuàng)建磁盤分區(qū)，默認即可'[root@gsy extundelete-0.2.4]# mkfs -t ext4 /dev/sdb1 ???'格式化，磁盤格式為ext4'mke2fs 1.41.12 (17-May-2010)文件系統(tǒng)標簽=操作系統(tǒng):Linux塊大小=4096 (log=2)分塊大小=4096 (log=2)Stride=0 blocks, Stripe width=0 blocks1310720 inodes, 5241198 blocks262059 blocks (5.00%) reserved for the super user第一個數(shù)據(jù)塊=0Maximum filesystem blocks=4294967296160 block groups32768 blocks per group, 32768 fragments per group8192 inodes per groupSuperblock backups stored on blocks: ????32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, ????4096000正在寫入inode表:?完成 ???????????????????????????Creating journal (32768 blocks):?完成Writing superblocks and filesystem accounting information:?完成This filesystem will be automatically checked every 29 mounts or180 days, whichever comes first. ?Use tune2fs -c or -i to override.[root@gsy extundelete-0.2.4]# mkdir /data ??'創(chuàng)建磁盤掛載點'[root@gsy extundelete-0.2.4]# mount /dev/sdb1 /data[root@gsy extundelete-0.2.4]# df -ThFilesystem ?????????????Type ????Size ?Used Avail Use% Mounted on/dev/sda2 ??????????????ext4 ?????20G ?3.2G ??16G ?18% /tmpfs ??????????????????tmpfs ???996M ?224K ?996M ??1% /dev/shm/dev/sda1 ??????????????ext4 ????5.8G ?168M ?5.4G ??3% /boot/dev/sda3 ??????????????ext4 ????9.7G ?150M ?9.0G ??2% /home/dev/sr0 ???????????????iso9660 ?3.6G ?3.6G ????0 100% /media/RHEL_6.5 x86_64 Disc 1//192.168.254.10/linuxs cifs ????455G ??90G ?366G ?20% /linuxs/dev/sr0 ???????????????iso9660 ?3.6G ?3.6G ????0 100% /yumcangku/dev/sdb1 ??????????????ext4 ?????20G ?172M ??19G ??1% /data[root@gsy extundelete-0.2.4]# cd /data[root@gsy data]# lslost+found[root@gsy data]# echo a>a[root@gsy data]# echo a>b ??'創(chuàng)建測試文件'[root@gsy data]# echo c>c[root@gsy data]# lsa ?b ?c ?lost+found[root@gsy data]# rm -rf b ??'刪掉一個'[root@gsy data]# ls a ?c ?lost+found[root@gsy data]# cd ../[root@gsy /]# umount /data ?'先取消掛載，不要再再里面寫東西，以免覆蓋'[root@gsy /]# extundelete /dev/sdb1 --restore-all ??'全盤恢復'NOTICE: Extended attributes are not restored.Loading filesystem metadata ... 160 groups loaded.Loading journal descriptors ... 29 descriptors loaded.Searching for recoverable inodes in directory / ... 0 recoverable inodes found.Looking through the directory structure for deleted files ... 0 recoverable inodes still lost. ???No files were undeleted. ???''沒有恢復成功[root@gsy /]# cd[root@gsy ~]# mount /dev/sdb1 /data '再次掛載'[root@gsy ~]# lsanaconda-ks.cfg ?install.log.syslog ?模板 ?圖片 ?下載 ?桌面install.log ?????公共的 ?????????????視頻 ?文檔 ?音樂[root@gsy ~]# ls /dataa ?c ?lost+found[root@gsy ~]# rm -rf /data/a /data/c ???'再次刪除測試'[root@gsy ~]# ls /datalost+found[root@gsy ~]# umount /data[root@gsy ~]# extundelete /dev/sdb1 --restore-allNOTICE: Extended attributes are not restored.Loading filesystem metadata ... 160 groups loaded.Loading journal descriptors ... 30 descriptors loaded.Searching for recoverable inodes in directory / ... 2 recoverable inodes found. '這次有反應了'Looking through the directory structure for deleted files ... 0 recoverable inodes still lost.[root@gsy ~]# ls ???'查看家目錄'anaconda-ks.cfg ?install.log.syslog ?公共的 ?視頻 ?文檔 ?音樂install.log ?????RECOVERED_FILES ????模板 ???圖片 ?下載 ?桌面[root@gsy ~]# ls RECOVERED_FILES/ ??'切換到恢復文件目錄中'a ?c[root@gsy ~]# cd RECOVERED_FILES/[root@gsy RECOVERED_FILES]# cp a c /mnt '把文件拷貝到/mnt'[root@gsy RECOVERED_FILES]# ls /mnta ?c ?extundelete-0.2.4 '成功，回復數(shù)據(jù)也是有幾率，不是百分百成功的'[root@gsy RECOVERED_FILES]#?七、總結(jié) ??本文主要是介紹了Linux文件系統(tǒng)的相關(guān)知識，對于想對應的常見故障進行檢測和排障最為關(guān)鍵。這就需要我們對Linux系統(tǒng)中的常見日志文件熟悉掌握，及時解決各種問題。