Skip to main content

WHM: Recover Deleted Apache Logs Using File Descriptors

A step-by-step guide to recovering deleted Apache log files.

Scott avatar
Written by Scott
Updated over 2 weeks ago

Accidentally deleting Apache log files, like access_log, can be concerning especially when those logs are needed for troubleshooting or auditing. Fortunately, if the Apache service is still running, there’s a good chance you can recover the deleted log file using the process ID and file descriptors from the active Apache process. In this article, we’ll walk you through a example of how to retrieve a deleted Apache log before restarting the service.

We can recover deleted apache logs easily. Let me explain this with an example.
​I accidentally removed the file '/usr/local/apache/logs/access_log' in the server.

  1. Access the server as root via SSH - If you don't know how, you can follow this guide.

  2. To recover the file, please check the PID of the Apache process using the command below.

     # ps aux | grep httpd 

  3. You’ll see multiple Apache processes listed, and you can use any of the process IDs. However, it's best to use the main Apache process, which typically runs under the user 'root'. In this case, the PID is 1742.

  4. Now, let’s list the file descriptors, using below shared command:

    ll -a /proc/1742/fd 

  5. You’ll see several symbolic links to Apache log files listed, like the one shown below.

    l-wx------ 1 root root 64 Sep 29 03:06 11 -> \ (deleted)/usr/local/apache/logs/access_log

    l-wx------ 1 root root 64 Sep 29 03:06 2 -> /usr/local/apache/logs/error_log

    l-wx------ 1 root root 64 Sep 29 03:06 4 -> /usr/local/apache/logs/modsec_debug_log

    l-wx------ 1 root root 64 Sep 29 03:06 3 -> /usr/local/apache/logs/modsec_audit.log

  6. Stop Apache on the server using the command below:

    service httpd stop

  7. Now, copy the access_log file that is marked as deleted (in this case, it's file descriptor 11).

    cp /proc/1742/fd/11  /usr/local/apache/logs/access_log

  8. Now, start Apache using the command below:

    service httpd start

  9. Access the websites from your server to ensure everything is working properly.

  10. Now, check the removed log file using the command below:

    tail -f /usr/local/apache/logs/access_log



    Congratulations! You’ve successfully recovered the deleted Apache log file Using File Descriptors.

    If you have any questions, please don’t hesitate to contact our team via live chat.

    For technical inquiries, please feel free to reach our support team by emailing support@bigscoots.com from your registered email or by submitting a support ticket.

Did this answer your question?