From owner-freebsd-questions  Sat Apr 18 04:52:40 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA21839
          for freebsd-questions-outgoing; Sat, 18 Apr 1998 04:52:40 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from smtp03.primenet.com (smtp03.primenet.com [206.165.6.133])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21834
          for <questions@FreeBSD.ORG>; Sat, 18 Apr 1998 11:52:38 GMT
          (envelope-from bkogawa@primenet.com)
Received: (from daemon@localhost)
	by smtp03.primenet.com (8.8.8/8.8.8) id EAA03284;
	Sat, 18 Apr 1998 04:52:38 -0700 (MST)
Received: from ip216.sjc.primenet.com(206.165.96.216), claiming to be "foo.primenet.com"
 via SMTP by smtp03.primenet.com, id smtpd003272; Sat Apr 18 04:52:34 1998
Received: (from bkogawa@localhost)
	by foo.primenet.com (8.8.8/8.8.6) id EAA19522;
	Sat, 18 Apr 1998 04:53:35 -0700 (PDT)
Date: Sat, 18 Apr 1998 04:53:35 -0700 (PDT)
Message-Id: <199804181153.EAA19522@foo.primenet.com>
To: geoffr@globalserve.net
Subject: Re: Reading Cycled Logs
Newsgroups: localhost.freebsd.questions
References:  <35381CAB.243600D8@globalserve.net>
From: "Bryan K. Ogawa" <bkogawa@primenet.com>
Cc: questions@FreeBSD.ORG
X-Newsreader: NN version 6.5.0 #1 (NOV)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In localhost.freebsd.questions you write:

>Hi,
>I admin a co-hosted server and every few weeks I login to find it has
>rebooted. I don't know if its a technical problem, a power failure or
>somebody with root privileges from my ISP doing work on it. My problem
>is that the last two times its happened the /var/log/messages file had
>been cycled before I got to it so I can't find out if it was done by a
>user or not. My question is how do I extract the compressed back logs
>and how do I determine which log file to decompress? When the messages
>log is cycled is it numbered 1 and all the other archived logs moved up
>in number so that the last one is deleted or dose it archive them in a
>loop. (ie. archives it as messages.1.gz, then messages.2.gz the next
>time until it reaches the last number and goes back to messages.1.gs ).

>Thanks in advance for any help.

By default, the messages file is rotated every Saturday at 3:30 AM.
Look at the uptime of your machine (run the uptime command to find
it), then determine the time the machine rebooted.  Let's say the file
that matches the last time the machine was rebooted is
/var/log/messages.0.gz

Try the following:

gzcat /var/log/messages.0.gz | more

to view the file in more.

Note that my messages are not compressed, just moved, e.g.

	/var/log/messages.0

-- 
bryan k ogawa  <bkogawa@primenet.com>   http://www.primenet.com/~bkogawa/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message