how to check if shutdown/halt has been executed

ESGLinux esggrupos at gmail.com
Fri Nov 5 09:05:53 UTC 2010 

Hi All,

I have arrived today at work and I have found a RHEL 5 server poweroff.

I want to know what has happened. So, I first want to know if someone has
executed shutdown/halt/poweroff or any other command that can power off the
machine,

I have checked the messages file but I cant see nothing:

Nov  4 12:24:34 www smartd[2097]: In the system's table of devices NO
devices found to scan
Nov  4 12:24:34 www smartd[2097]: Monitoring 0 ATA and 0 SCSI devices
Nov  4 12:24:34 www smartd[2099]: smartd has fork()ed into background mode.
New PID=2099.
Nov  5 09:20:01 www syslogd 1.4.1: restart.
Nov  5 09:20:02 www kernel: klogd 1.4.1, log source = /proc/kmsg started.

at 09:20 I restart the machine.

With the sar command I see this:

06:40:02 AM       all      0.10      0.00      0.08      0.48      0.01
99.33
06:50:01 AM       all      0.11      0.00      0.07      0.36      0.01
99.45
07:00:01 AM       all      0.13      0.00      0.07      0.80      0.01
98.98
Average:          all      0.12      0.00      0.07      0.80      0.01
98.99

09:19:48 AM       LINUX RESTART

09:30:01 AM       CPU     %user     %nice   %system   %iowait    %steal
%idle
09:40:01 AM       all      0.60      0.00      0.11      5.57      0.01
93.71

So between 07:00 and 07:10 the system  goes down, but WHY???

with the ausearch command I get this:

----
time->Fri Nov  5 07:01:01 2010
type=CRED_ACQ msg=audit(1288936861.670:3707): user pid=9601 uid=0
auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron res=success)'
----
time->Fri Nov  5 07:01:01 2010
type=LOGIN msg=audit(1288936861.670:3708): login pid=9601 uid=0 old
auid=4294967295 new auid=0
----
time->Fri Nov  5 07:01:01 2010
type=USER_START msg=audit(1288936861.720:3709): user pid=9601 uid=0 auid=0
msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
----
time->Fri Nov  5 07:01:01 2010
type=CRED_DISP msg=audit(1288936861.730:3710): user pid=9601 uid=0 auid=0
msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
----
time->Fri Nov  5 07:01:01 2010
type=USER_END msg=audit(1288936861.730:3711): user pid=9601 uid=0 auid=0
msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
----
time->Fri Nov  5 09:20:00 2010
type=DAEMON_START msg=audit(1288945200.613:9651): auditd start, ver=1.7.17
format=raw kernel=2.6.18.8-xen auid=4294967295 pid=1440 res=success
----

If the systems goes down because of power failure or something strange, is
there any way to check it?

Thanks in advance

ESG

More information about the redhat-list mailing list