From owner-freebsd-questions@FreeBSD.ORG Mon Mar 6 04:17:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B3BE16A422 for ; Mon, 6 Mar 2006 04:17:45 +0000 (GMT) (envelope-from jahilliya@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3796F43D6E for ; Mon, 6 Mar 2006 04:17:32 +0000 (GMT) (envelope-from jahilliya@gmail.com) Received: by zproxy.gmail.com with SMTP id i1so1151070nzh for ; Sun, 05 Mar 2006 20:17:31 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=fPW5dJz2s9ZXmzYvzuL7ETDTbthXvTPXgacJtoLQCtc9PHraC8UcopnBmnz9noSZJYaJz4eV7npvELyEMuWjmgnLA2a6kZrIzLZT9EBYf5bxosYSq8Sfibshu6jFdLZMEQOXwa2BuHO1itKP0+4jzWNU837toY945TBAaRj7cik= Received: by 10.64.241.6 with SMTP id o6mr2343255qbh; Sun, 05 Mar 2006 20:17:31 -0800 (PST) Received: by 10.64.180.6 with HTTP; Sun, 5 Mar 2006 20:17:31 -0800 (PST) Message-ID: Date: Mon, 6 Mar 2006 12:17:31 +0800 From: Daniel To: "Jon Poland" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Cc: freebsd-questions@freebsd.org Subject: Re: How to figure out who shutdown box (Kelly D. Grills) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2006 04:17:45 -0000 On 3/6/06, Jon Poland wrote: > For me, those show up in /var/log/messages: > Jan 17 22:54:23 kmart reboot: rebooted by polandj > > But nothing for the particular shutdown in question... > > - JP > > On Sat, Mar 04, 2006 at 10:24:17AM -0500, Jon Poland wrote: > >> > >> Hi, > >> I operate a colo box running FreeBSD 6.0-SECURITY. Yesterday the bo= x > >> shutdown and powered off. I didn't execute shutdown or halt, and I'm > >the > >> only user who can. Here's what the logs tell me: > >> > >> /var/log/console.log: > >> Mar 3 11:24:29 kmart kernel: Shutting down daemon processes: > >> > >> /var/log/messages: > >> Mar 3 11:24:38 kmart syslogd: exiting on signal 15 > >> > >> last: (the important lines) > >> reboot ~ Fri Mar 3 13:10 > >> shutdown ~ Fri Mar 3 11:24 > >> > >> I don't see anything in any of the logs like "rebooted by X", etc. > >> > >> I'm not exactly sure how this can happen and looking for ideas. > >> > > > > Where are you logging security messages? I believe the default is to > > /var/log/security > > > > Have a look at /etc/syslog.conf and syslog.conf(5) > > > > You should see messages such as this in your security log: > > Mar 1 15:21:38 srv1 shutdown: reboot by kdgrills: > Other than checking the logfiles, checking for crash dumps, reading the dmesg and seeing if the disks were unmounted cleanly, if they weren't then it indicates the system may have crashed. If they were clean unmounts then some kind of process interaction may have caused the shutdown. Try turning on process accounting: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-accounti= ng.html It effectively logs all commands issued, and from this you could effectively figure out what is going on at certain times with more clarity and less guess work. Jal.