From owner-freebsd-questions@FreeBSD.ORG Mon Mar 6 03:22:10 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42C4416A422 for ; Mon, 6 Mar 2006 03:22:10 +0000 (GMT) (envelope-from polandj@monkey.org) Received: from naughty.monkey.org (naughty.monkey.org [65.23.81.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00CE843D46 for ; Mon, 6 Mar 2006 03:22:09 +0000 (GMT) (envelope-from polandj@monkey.org) Received: by naughty.monkey.org (Postfix, from userid 6) id B84EF536E45; Sun, 5 Mar 2006 22:22:08 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by naughty.monkey.org (Postfix) with ESMTP id B1A33536E40 for ; Sun, 5 Mar 2006 22:22:08 -0500 (EST) Date: Sun, 5 Mar 2006 22:22:08 -0500 (EST) From: Jon Poland To: freebsd-questions@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: How to figure out who shutdown box (Kelly D. Grills) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2006 03:22:10 -0000 For me, those show up in /var/log/messages: Jan 17 22:54:23 kmart reboot: rebooted by polandj But nothing for the particular shutdown in question... - JP On Sat, Mar 04, 2006 at 10:24:17AM -0500, Jon Poland wrote: >> >> Hi, >> I operate a colo box running FreeBSD 6.0-SECURITY. Yesterday the box >> shutdown and powered off. I didn't execute shutdown or halt, and I'm >the >> only user who can. Here's what the logs tell me: >> >> /var/log/console.log: >> Mar 3 11:24:29 kmart kernel: Shutting down daemon processes: >> >> /var/log/messages: >> Mar 3 11:24:38 kmart syslogd: exiting on signal 15 >> >> last: (the important lines) >> reboot ~ Fri Mar 3 13:10 >> shutdown ~ Fri Mar 3 11:24 >> >> I don't see anything in any of the logs like "rebooted by X", etc. >> >> I'm not exactly sure how this can happen and looking for ideas. >> > > Where are you logging security messages? I believe the default is to > /var/log/security > > Have a look at /etc/syslog.conf and syslog.conf(5) > > You should see messages such as this in your security log: > Mar 1 15:21:38 srv1 shutdown: reboot by kdgrills: