HPE Community
Operating System - HP-UX
1833772 Members
2372 Online
110063 Solutions
New Discussion

Identify who rebooted the server

 
SOLVED
Go to solution
Karl_
Frequent Advisor

‎04-09-2006 04:37 PM

‎04-09-2006 04:37 PM

Identify who rebooted the server

Hi all,

How can I identify who restarted our server? It suddenly rebooted yesterday. I used the following commands to check:

last - shows that the server was rebooted yesterday. (but)

lastb - shows that no one logged in to the server yesterday.

who -a - shows the time and date of reboot.

OLDsyslog only shows logs until 7Apr and Syslog only shows logs after the reboot.


LAST:
================================
root pts/tb Mon Apr 10 14:21 still logged in
root pts/tb Mon Apr 10 14:17 - 14:21 (00:04)
root pts/tb Mon Apr 10 08:46 - 11:23 (02:36)
root pts/tc Mon Apr 10 08:23 - 08:39 (00:15)
root pts/tb Mon Apr 10 08:12 - 08:44 (00:31)
root pts/ta Mon Apr 10 08:09 - 08:23 (00:13)
tseadm pts/ta Mon Apr 10 07:57 - 07:59 (00:01)
dveadm pts/ta Mon Apr 10 07:56 - 07:56 (00:00)
reboot system boot Sun Apr 9 18:23 still logged in
autoftp ftp Fri Apr 7 10:24 - 10:24 (00:00)


LASTB:
================================
root pts/tb Mon Apr 10 14:21 still logged in
root pts/tb Mon Apr 10 14:17 - 14:21 (00:04)
root pts/tb Mon Apr 10 08:46 - 11:23 (02:36)
root pts/tc Mon Apr 10 08:23 - 08:39 (00:15)
root pts/tb Mon Apr 10 08:12 - 08:44 (00:31)
root pts/ta Mon Apr 10 08:09 - 08:23 (00:13)
tseadm pts/ta Mon Apr 10 07:57 - 07:59 (00:01)
dveadm pts/ta Mon Apr 10 07:56 - 07:56 (00:00)
reboot system boot Sun Apr 9 18:23 still logged in
autoftp ftp Fri Apr 7 10:24 - 10:24 (00:00)
root pts/tc Thu Apr 6 15:33 - 17:56 (02:23)


Syslog & OLD Syslog:
===========================================
Apr 6 00:11:51 tyco su: + ta root-dveadm
Apr 6 00:13:52 tyco su: + ta root-tseadm
Apr 6 00:15:16 tyco su: + ta root-sbxadm
Apr 7 10:24:53 tyco ftpd[27448]: FTP LOGIN FROM 170.9.34.115 [170.9.34.115], autoftp
Apr 7 10:24:55 tyco ftpd[27448]: FTP session closed
# ll
total 1952
-rw-r--r-- 1 root root 19700 Apr 7 10:24 OLDsyslog.log
-r--r--r-- 1 root root 936126 Apr 10 13:34 mail.log
-rw-r--r-- 1 root root 16562 Apr 10 08:43 syslog.log
# pg syslog.log
Apr 9 18:26:29 tyco syslogd: restart
Apr 9 18:26:29 tyco vmunix: tgt
Apr 9 18:26:29 tyco vmunix: 0/8/0/0.1.9.0.0.15.0 sctl
Apr 9 18:26:29 tyco vmunix: 0/8/0/0.1.9.255.0 fcpdev
Apr 9 18:26:29 tyco vmunix: 0/8/0/0.1.9.255.0.0 tgt
Apr 9 18:26:29 tyco vmunix: 0/8/0/0.1.9.255.0.0.0 sctl

Any information is highly appreciated.

Thanks,

Karl
0 Kudos
5 REPLIES 5
Rajeev Shukla
Honored Contributor

‎04-09-2006 04:57 PM

‎04-09-2006 04:57 PM

Solution

Re: Identify who rebooted the server

Hi Karl,

What does /etc/shutdownlog say.
Have a look at the last line in /etc/shutdownlog file.

Cheers
Rajeev
0 Kudos
Karl_
Frequent Advisor

‎04-09-2006 05:08 PM

‎04-09-2006 05:08 PM

Re: Identify who rebooted the server

Hi,

Thanks for your reply. There was a panic logged yesterday. How can I check the detail of the panic?


==================================
01:36 Fri Mar 31, 2006. Reboot: (by dev!root)
21:59 Fri Mar 31, 2006. Reboot: (by dev!root)
22:28 Wed Apr 5, 2006. Halt: (by dev!root)
18:26 Sun Apr 09 2006. Reboot after panic: , isr.ior = 0'10340007.0'5cd72968

Thanks,

Karl
0 Kudos
Rajeev Shukla
Honored Contributor

‎04-09-2006 05:19 PM

‎04-09-2006 05:19 PM

Re: Identify who rebooted the server

If it was PANIC then nobody would have intentionally rebooted the system. System went into PANIC mode because of some serious reasons. If the crashconf is configured for crash dump, you should look at any crash dumps on the system, probably at /var/adm/crash.
If you have online diagnostics installed use that to see of any issues. Have a look at the GSP logs..(sometimes even over temprature could cause system halt or reboot)
0 Kudos
Karl_
Frequent Advisor

‎04-09-2006 05:35 PM

‎04-09-2006 05:35 PM

Re: Identify who rebooted the server

Thanks Rajeev.

I will let HP Investigate on this.

Best regards,

Karl
0 Kudos
Karl_
Frequent Advisor

‎04-09-2006 05:39 PM

‎04-09-2006 05:39 PM

Re: Identify who rebooted the server

thread closed. Full 10 points to you. Thanks
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.