Master Linux Inodes, Links, File Recovery, and Log Analysis

Inode and Block

In Linux a block is the smallest addressable unit on disk, typically eight 512‑byte sectors (4 KB). An inode stores a file’s metadata: size, owner UID, group GID, permission bits, and timestamps.

atime – last access time

mtime – last modification time of file contents

ctime – last change time of inode attributes

Key commands: stat filename – view file metadata ls -i filename – display the inode number df -i – show total and used inode counts per filesystem

Typical inode size is 128 B or 256 B, set when the filesystem is created.

Special inode operations

Because the inode number is independent of the filename, you can delete a file that has problematic characters by removing its inode directly, rename a file without changing its inode, and editing a file may create a new inode. To delete by inode:

find /path/to/dir -inum <inode_number> -delete

Hard Links and Symbolic Links

Both link types create additional directory entries that point to the same data, but they differ in behavior:

Hard link : shares the same inode as the source file, works only for files on the same filesystem, and remains valid if the original file is removed.

Symbolic (soft) link : a separate file containing the path to the source, can link to files or directories across filesystems, and becomes dangling if the source is deleted.

Creation commands:

ln source_path link_path

ln -s source_path link_path

Recovering Accidentally Deleted Files

EXT* Filesystems

Use extundelete to recover deleted files on ext2/3/4 partitions.

Install required packages (e.g., e2fsprogs-libs, e2fsprogs-devel).

Download and compile extundelete-0.2.4.tar.bz2.

Unmount the affected partition: umount /dev/sdb1.

Recover a specific inode: extundelete /dev/sdb1 --inode 2.

Recover all recoverable files: extundelete /dev/sdb1 --restore-all.

Note: When all inodes of an EXT filesystem are exhausted, new files cannot be created.

XFS Filesystems

Use xfsdump to create backups and xfsrestore to restore them. xfsdump -f /backup/location /dev/sdx1 Common options: -L – session label -M – media label -s – backup a single file (requires separate path argument) xfsrestore -f /restore/location /dev/sdx1 Limitations: the filesystem must be mounted, root privileges are required, and the backup can only be read by xfsrestore. XFS retains some redundancy, so inode exhaustion does not prevent new file creation.

Log File Analysis

Log categories

Kernel & system logs – managed by rsyslog, configuration in /etc/rsyslog.conf.

User logs – record login/logout activity.

Application logs – generated by individual programs; format varies.

Common log files

/var/log/messages

– general system and kernel messages. /var/log/cron – cron job events. /var/log/dmesg – kernel boot messages. /var/log/maillog – mail activity. /var/log/secure – authentication and security events. /var/log/lastlog – last login per user. /var/log/wtmp – login, logout, and system start/stop. /var/run/btmp – failed login attempts.

rsyslog severity levels

0 EMERG – system unusable.

1 ALERT – immediate action required.

2 CRIT – critical conditions (e.g., disk errors).

3 ERR – error conditions.

4 WARNING – potentially harmful situations.

5 NOTICE – normal but significant events.

6 INFO – informational messages.

7 DEBUG – debug‑level detail.

Analysis tools and commands

users

, who, w – show currently logged‑in users. last – display successful login history. lastb – display failed login attempts. journalctl – query the systemd journal. journalctl -r – reverse order (newest first). journalctl -u service_name – logs for a specific service. journalctl -k – kernel messages only. journalctl -b -0 – logs from the current boot.

Text processing tools such as grep, awk, sed for filtering.

Specialised analysers (e.g., Webalizer, Awstats) for web logs.

Centralised log management options

rsyslog forwarding to a remote log server.

Custom shell or Python scripts for aggregation.

ELK stack – Elasticsearch + Logstash + Kibana.

Loki + Promtail + Grafana.