0

Let's say I accidentally manually killed some process by random pid:

kill -9 pid

Now I want to get some information about that process, e.g. what actual program I killed and how to restore it.

I'm on Red Hat Enterprise Linux Server release 7.4 (Maipo)

Edited:

I don't think it is duplication for Who "Killed" my process and why? quite different question and proposed solution doesn't work for me

Normal
  • 1,347
  • 4
  • 17
  • 34
  • I don't see that process under /proc. I guess it is not there since I killed it. Right? Command is fine, I don't need automation here – Normal Jun 04 '18 at 10:38
  • Possible duplicate of [Who "Killed" my process and why?](https://stackoverflow.com/questions/726690/who-killed-my-process-and-why) – Achal Jun 04 '18 at 10:40
  • 1
    @achal No, the nominated duplicate seems to be about the opposite question (which user and command killed my process, rather than what was the thing I killed) – tripleee Jun 04 '18 at 10:42

1 Answers1

3

You can find that information in the system log /var/log/syslog and /var/log/messages.

Ex. grep -i 'kill' /var/log/messages.

Try to examine /var/log/*. You if don't get information anywhere there, then I think you are out of luck.

As triplee pointed out, your kill process will not be logged by default. But as you said, you don't have sudo access, I assume you must be working in some organisation. So there are chances that users activity are logged. So my answer might work.

Unfortunately, without a log, you cannot go back in time and retrieve a list of running processes.

Using a simple script it is possible to keep a running log of processes. With the log, you can go back and view what was running and what wasn't.

#!/bin/bash

mkdir -p "$HOME/ps_logs"

while true; do
    ps aux > "$HOME/ps_logs/ps_$(date +%Y-%m-%d_%H:%M:%S).log"
    sleep 60 # Logging interval in seconds.
done
Shubham Kadlag
  • 2,248
  • 1
  • 13
  • 32
  • Thanks for quick reply! I've got: cat: /var/log/syslog: No such file or directory and permissions denied on trying read /var/log/messages. Quite strange that I can kill processes but can't read log. I don't have sudo access. – Normal Jun 04 '18 at 10:41
  • 1
    On many platforms the logs are not readable by normal users. On Debian you might want to add your user to the group `adm` if this is something you have control over. – tripleee Jun 04 '18 at 10:44
  • But this is not a correct answer; a regular `kill` command issued by a regular user will not be logged by default. – tripleee Jun 04 '18 at 10:45
  • thanks for the update! Totally makes sense – Normal Jun 04 '18 at 11:13