From owner-freebsd-questions@FreeBSD.ORG Tue Mar 7 11:29:07 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4008516A420 for ; Tue, 7 Mar 2006 11:29:07 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from shrike.submonkey.net (cpc2-cdif2-0-0-cust107.cdif.cable.ntl.com [81.104.168.108]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A45543D5F for ; Tue, 7 Mar 2006 11:29:02 +0000 (GMT) (envelope-from ceri@submonkey.net) Received: from ceri by shrike.submonkey.net with local (Exim 4.60 (FreeBSD)) (envelope-from ) id 1FGaNB-000GBX-46; Tue, 07 Mar 2006 11:29:01 +0000 Date: Tue, 7 Mar 2006 11:29:01 +0000 From: Ceri Davies To: Jon Poland Message-ID: <20060307112900.GJ85550@submonkey.net> Mail-Followup-To: Ceri Davies , Jon Poland , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6cMF9JLEeZkfJjkP" Content-Disposition: inline In-Reply-To: X-PGP: finger ceri@FreeBSD.org User-Agent: Mutt/1.5.11 Sender: Ceri Davies Cc: freebsd-questions@freebsd.org Subject: Re: How to figure out who shutdown box (Kelly D. Grills) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Mar 2006 11:29:07 -0000 --6cMF9JLEeZkfJjkP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 05, 2006 at 10:22:08PM -0500, Jon Poland wrote: > On Sat, Mar 04, 2006 at 10:24:17AM -0500, Jon Poland wrote: > >> > >> Hi, > >> I operate a colo box running FreeBSD 6.0-SECURITY. Yesterday the box > >> shutdown and powered off. I didn't execute shutdown or halt, and I'm > >the > >> only user who can. Here's what the logs tell me: > >> > >> /var/log/console.log: > >> Mar 3 11:24:29 kmart kernel: Shutting down daemon processes: > >> > >> /var/log/messages: > >> Mar 3 11:24:38 kmart syslogd: exiting on signal 15 > >> > >> last: (the important lines) > >> reboot ~ Fri Mar 3 13:10 > >> shutdown ~ Fri Mar 3 11:24 > >> > >> I don't see anything in any of the logs like "rebooted by X", etc. > >> > >> I'm not exactly sure how this can happen and looking for ideas. > >> > > > > Where are you logging security messages? I believe the default is to > > /var/log/security > > > > Have a look at /etc/syslog.conf and syslog.conf(5) > > > > You should see messages such as this in your security log: > > Mar 1 15:21:38 srv1 shutdown: reboot by kdgrills: >=20 > For me, those show up in /var/log/messages: > Jan 17 22:54:23 kmart reboot: rebooted by polandj >=20 > But nothing for the particular shutdown in question... It's possible that someone hit the power button. Ceri --=20 That must be wonderful! I don't understand it at all. -- Moliere --6cMF9JLEeZkfJjkP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.1 (FreeBSD) iD8DBQFEDW58ocfcwTS3JF8RArCEAJ9P1HrLQ1XxBQPsJ3Fvvr5Wek36oQCfQNGV qRhuCOb8CVgEfvjALRgb2z0= =Hp63 -----END PGP SIGNATURE----- --6cMF9JLEeZkfJjkP--