how to check if shutdown/halt has been executed
ESGLinux
esggrupos at gmail.com
Fri Nov 5 09:05:53 UTC 2010
Hi All,
I have arrived today at work and I have found a RHEL 5 server poweroff.
I want to know what has happened. So, I first want to know if someone has
executed shutdown/halt/poweroff or any other command that can power off the
machine,
I have checked the messages file but I cant see nothing:
Nov 4 12:24:34 www smartd[2097]: In the system's table of devices NO
devices found to scan
Nov 4 12:24:34 www smartd[2097]: Monitoring 0 ATA and 0 SCSI devices
Nov 4 12:24:34 www smartd[2099]: smartd has fork()ed into background mode.
New PID=2099.
Nov 5 09:20:01 www syslogd 1.4.1: restart.
Nov 5 09:20:02 www kernel: klogd 1.4.1, log source = /proc/kmsg started.
at 09:20 I restart the machine.
With the sar command I see this:
06:40:02 AM all 0.10 0.00 0.08 0.48 0.01
99.33
06:50:01 AM all 0.11 0.00 0.07 0.36 0.01
99.45
07:00:01 AM all 0.13 0.00 0.07 0.80 0.01
98.98
Average: all 0.12 0.00 0.07 0.80 0.01
98.99
09:19:48 AM LINUX RESTART
09:30:01 AM CPU %user %nice %system %iowait %steal
%idle
09:40:01 AM all 0.60 0.00 0.11 5.57 0.01
93.71
So between 07:00 and 07:10 the system goes down, but WHY???
with the ausearch command I get this:
----
time->Fri Nov 5 07:01:01 2010
type=CRED_ACQ msg=audit(1288936861.670:3707): user pid=9601 uid=0
auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron res=success)'
----
time->Fri Nov 5 07:01:01 2010
type=LOGIN msg=audit(1288936861.670:3708): login pid=9601 uid=0 old
auid=4294967295 new auid=0
----
time->Fri Nov 5 07:01:01 2010
type=USER_START msg=audit(1288936861.720:3709): user pid=9601 uid=0 auid=0
msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
----
time->Fri Nov 5 07:01:01 2010
type=CRED_DISP msg=audit(1288936861.730:3710): user pid=9601 uid=0 auid=0
msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
----
time->Fri Nov 5 07:01:01 2010
type=USER_END msg=audit(1288936861.730:3711): user pid=9601 uid=0 auid=0
msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
----
time->Fri Nov 5 09:20:00 2010
type=DAEMON_START msg=audit(1288945200.613:9651): auditd start, ver=1.7.17
format=raw kernel=2.6.18.8-xen auid=4294967295 pid=1440 res=success
----
If the systems goes down because of power failure or something strange, is
there any way to check it?
Thanks in advance
ESG
More information about the redhat-list
mailing list