/etc/shutdownlog

Siddhesh · ‎08-07-2005

Hi Gurus,

/etc/shutdownlog shows reboot entry by the user who had logged in and logged out of the server almost 2 months back. We could not find any record for him with last command on the reboot day. We know that reboot was done by the other user.

Please help.

Thanks.

morganelan · ‎08-07-2005

Hi Siddhesh,
Please check these following files before jugde who that rebooted your server:
1. /var/adm/crash
2. /etc/shutdownlog
3. /var/tombstones/ts99
4. /var/opt/resmon/log/event.log
If there is nothing indication that come from the above files , then it is probably because of a power failure occured for a short time.

Kamal Mirdad

Siddhesh · ‎08-07-2005

Hi,

I checked all the files and there is nothing special observed. We know that our collegue reboot the server. His name could be found with last command. But /etc/shutdownlog refers to another user name who logged in/out 2 months back. How is it possible to reboot the server without logging in?

morganelan · ‎08-07-2005

Hi Siddhesh,
Please check .sh_history for commands that run by user.

#vi .sh_hystory then Esc-Shift-G to go the end of line

Kamal Mirdad

Warren_9 · ‎08-07-2005

is "su" allow on your system? I think you also need to have a look on the old syslog.

Sreedhar Nathani · ‎08-07-2005

Check whether both the users are having same UID.

Otherwise check the /var/adm/sulog and /var/adm/syslog/OLDsyslog.log for any su activity prior to the shutdown

Siddhesh · ‎08-08-2005

Hi All,

I have checked .sh_history, /var/adm/syslog/OLDsyslog.log, /var/adm/sulog, /var/adm/OLDsulog...
Nowhere I can find that user entry for the reboot day. I am sure that other user did shutdown the system as his name can be found in all other files other than /etc/shutdownlog. It was scheduled reboot done by my teammate. I doubt this may be the bug with OS.

Thanks.

Sreedhar Nathani · ‎08-08-2005

I am sure that other user did shutdown the system as his name can be found in all other files other than /etc/shutdownlog.

Which are all the otherfiles you are seeing. Is it your application logs or OS logs.

I seen couple of times where /etc/*tmp database/files got corrupted, which is caused by a telnetd daemon.
See for the these patches documentation for more information
11.00 -- PHNE_24762
11.11 -- PHNE_24829

Hope this helps

saju_2 · ‎08-08-2005

Hi siddhesh

Have u done any ignite restore to this server after the recent shutdown. If the ignite copy is older than ur previous shutdown date then there will be no info in any of the root disk files.

Regards
CS

Siddhesh · ‎08-08-2005

I seen couple of times where /etc/*tmp database/files got corrupted, which is caused by a telnetd daemon.
See for the these patches documentation for more information
11.00 -- PHNE_24762
11.11 -- PHNE_24829

Hi,

Ignite recovery is not done on this server. I checked syslog, sulog and wtmp with last command and also shutdown broadcast message. I doubt corrupt /etc/*tmp as wtmp is showing correct info and /etc/shutdownlog is showing wrong entry. I am wondering what other thing can write a wrong entry into /etc/shutdownlog?

Thanks.

Sreedhar Nathani · ‎08-08-2005

Hi Siddesh,

I done a tusc to the shutdown process.

shutdown -ry gets userid from the getuid() system call and its a "Real-user-ID of the calling process"

it will update the /etc/shutdownlog after this message "System shutdown time has arrived"

Incase if you are sure of the following, i don't see any other issues why shutdownlog will write a different username than actual user.

a. User who's name is there in shutdownlog, was the realuser but shutdown command was run by the other user using su command

b. there is no corruption in the /etc/utmp and /var/adm/wtmp

c. Both users are not having the same UID

Incase if all the above is not helpful to you, can you duplicate the problem once again.

Siddhesh · ‎08-08-2005

Hi,

Another point to add is the username displayed in /etc/shutdownlog had logged in/out of the system almost 2 months back.

The user issued shutdown command from telnet session by doing su - and monitored it on GSP console. No where wrong entry username relates to shutdown process.

We can not duplicate the problem as the system is in Production environment.

We want to make sure if there is any bug in the OS.

Thanks.

Sreedhar Nathani · ‎08-08-2005

>>>The user issued shutdown command from telnet session by doing su - and monitored it on GSP console. No where wrong entry username relates to shutdown process.

What is the username is showing in shutdownlog?

What is the username who actually performed the shutdown(which you would like to see in shutdownlog)?

From which user, he done su to shutdown the server ?

Do you have duplicate UID's in your /etc/passwd?

I don't think any issues with OS. I nerver heard of this issue before?

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

/etc/shutdownlog

/etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog

Re: /etc/shutdownlog