Often people will delete log files that are still open. Sometimes it is necessary to look at the logs that have been deleted. It takes a little investigation, but can done.
The first thing to do is to find the Process IDentifier (PID) and the File Descriptor number (FD) of the log open. This can be accomplished with “lsof | grep <logfile>” or “lsof|grep deleted”. The PID is the second column and the FD is the fourth column. Remove the extra letters from the file descriptors.
Change Directory (cd) into the process filedescriptor directory (cd /proc/<PID>/fd”. Look at the files in the with the List Strorage (ls) command. There will be file with the FD number. This is the lost file. You can use less or more to look at the file.
For example:
lsof /|grep '(deleted)'
Gives the results:
httpd 24010 root 11w REG 8,2 1601475687 993976 /etc/httpd/logs/access_log (deleted)
At this point you have 2 choices, truncate the file descriptor or restart the process.
To truncate the file descriptor with
> /proc/24010/fd/16