Is there any rm log with removed files?

Solution 1

Some different solutions

There is no log, but if you want...

Watch for deleted entries and log

You may use inotify libraries in recursive and monitor mode:

inotifywait -e delete --timefmt %c --format '%T %_e %w %f' -r -m / >/path/logfile
Setting up watches.  Beware: since -r was given, this may take a while!
Watches established.
Fri Jul 19 11:57:39 2013 DELETE /tmp/ testfiletodelete
Fri Jul 19 11:57:46 2013 DELETE /home/user/ testfiletodelete

This is a sysadmin approach: All user, all directories and mounted points...

Warning this could be a little overkill read carefully the man page and add some options like --exclude

Patch bash rm command

You could add something to your .bashrc...

Transform rm from delete to move to trash command

mkdir -p $HOME/.Trashcan
rm() {
    local destdir=$(mktemp -d $HOME/.Trashcan/trash-XXXXXXXXX);
    mkdir $destdir/files
    echo $0 $@ >$destdir/command
    set >$destdir/environ
    mv -t $destdir/files $@
} 

So every time you hit rm in your bash, files will be moved to a directory, command and environs will be saved too.

As each rm will create a new directory correctly dated, there is no need to use date.

Adding a log step to rm command.

But if you just wanna log your operation, at user lever:

rm() {
   date >>$HOME/.rm.log +"%a %d %b %Y %T: rm $@"
   /bin/rm $@
}

could do the job.

Nota 1

As @slhck rightly said: redefining usual commands may forge bad practice for new users, so if you modify such standards commands, your have to not forget this when you're working on another system!

Nota 2

This patch only rm command runned by interactive user shell. You may edit /etc/bashrc for making them for all users, but at all, only bash tools could be affected.

If files are removed by unlink in perl for sample, this will not be logged by this.

Or even if ksh, dash or else is invoked instead of bash... no logs.

Nota 3

For accessing original command, instead of alias or personal function, you have to precise full path: /bin/rm myfile will remove myfile but bypassing rm function, nothing will be logged.

Solution 2

If it is you who accidentally removed files, and your shell supports history, you can list the history back like this:

history | grep rm

Of course, you'll need to do an insight search through the history to know where you deleted the file.

If it was another user, maybe his/her ~/.bash_history or similar file (for whichever shell the user uses) may have that information, if they didn't delete it from there.

But actually, as other answers propose, there's no log. Just means of scanning the surface for removed files not-yet-overwritten.

By the way, using a Copy-on-write filesystem, such as ZFS or btrfs, you can track deleted files between "states" of the drive in time, called snapshots.

You can have a cron task run with the required time granularity to ensure there is a recent enough snapshot, and then diff between the snapshot and the current state.

There's another way. You can compile your own rm binary, which does save traces of what did it do.

Related videos on Youtube

04 : 58

Removing files from git staging area | git reset

SelfTuts

12524

03 : 59

How to recover deleted file in your linux system

Shubham dubey

44

07 : 13

How To Recover Deleted Files In Linux | Step by Step - Manoj Sharma

RHS Fashion

5

03 : 24

Is there any rm log with removed files? (4 Solutions!!)

Roel Van de Paar

2

03 : 57

the rm command on linux to permanently remove files

Chris Gregg

2

Author by

patryk.beza

Yet another geek in love with Linux & Open Source. My PGP pubkey: 0x90d32cb0e7e1e565. If you can't explain it simply, you don't understand it well enough. [A.Einstein] It’s a long way by the rules, but short and efficient with examples. [Seneca the Younger] Talk is cheap. Show me the code. [L.Torvalds]

Updated on September 18, 2022