Date: Sat, 4 Mar 2006 11:42:49 -0600 From: "Kelly D. Grills" <kdgrills@the-grills.com> To: freebsd-questions@freebsd.org Subject: Re: How to figure out who shutdown box Message-ID: <20060304174236.GA752@the-grills.com> In-Reply-To: <Pine.BSO.4.58.0603041011130.14807@naughty.monkey.org> References: <Pine.BSO.4.58.0603041011130.14807@naughty.monkey.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 04, 2006 at 10:24:17AM -0500, Jon Poland wrote: >=20 > Hi, > I operate a colo box running FreeBSD 6.0-SECURITY. Yesterday the box > shutdown and powered off. I didn't execute shutdown or halt, and I'm the > only user who can. Here's what the logs tell me: >=20 > /var/log/console.log: > Mar 3 11:24:29 kmart kernel: Shutting down daemon processes: >=20 > /var/log/messages: > Mar 3 11:24:38 kmart syslogd: exiting on signal 15 >=20 > last: (the important lines) > reboot ~ Fri Mar 3 13:10 > shutdown ~ Fri Mar 3 11:24 >=20 > I don't see anything in any of the logs like "rebooted by X", etc. >=20 > I'm not exactly sure how this can happen and looking for ideas. >=20 Where are you logging security messages? I believe the default is to /var/log/security Have a look at /etc/syslog.conf and syslog.conf(5) You should see messages such as this in your security log: Mar 1 15:21:38 srv1 shutdown: reboot by kdgrills: --=20 Kelly D. Grills kdgrills@the-grills.com --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: PGP key: mailto:kdgrills-pgpkey@the-grills.com iD8DBQFECdGL7inS5LzF7HMRAp+zAJ9rY7hERk+0hMq0DzMWF7l80aBVYQCbBgyu aahgD3gJnINDqeJLphsg4Vg= =SA4k -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060304174236.GA752>