HPE Community
Operating System - HP-UX
1822197 Members
3729 Online
109640 Solutions
New Discussion юеВ

Shutdown LOG

 
SOLVED
Go to solution
Sampath_4
Occasional Advisor

тАО11-01-2005 06:12 PM

тАО11-01-2005 06:12 PM

Shutdown LOG

My server is getting shutdown automatically .Shutdownlog doesnot show the user responsible for the shutdown. How do i know which user is responsible for the shutdown

Regards,
N.Sampath Kumar
0 Kudos
Reply
15 REPLIES 15
AwadheshPandey
Honored Contributor

тАО11-01-2005 06:15 PM

тАО11-01-2005 06:15 PM

Re: Shutdown LOG

check ur file system first, if any file system is full, then sytem Goes down automaticaly.

check

#dmesg
for any error messages

Awadhesh
It's kind of fun to do the impossible
0 Kudos
Reply
Orhan Biyiklioglu
Respected Contributor

тАО11-01-2005 06:16 PM

тАО11-01-2005 06:16 PM

Re: Shutdown LOG

Check /etc/shutdownlog file

hth
0 Kudos
Reply
Joseph Loo
Honored Contributor

тАО11-01-2005 06:20 PM

тАО11-01-2005 06:20 PM

Re: Shutdown LOG

hi,

what is included in /etc/shutdown.allow, if it is blank, only the root user is allow to bring the system down.

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Sampath_4
Occasional Advisor

тАО11-01-2005 06:20 PM

тАО11-01-2005 06:20 PM

Re: Shutdown LOG

Thanks for your fast response

None of the filesystems are full.

/etc/shutdownlog shows only the timestamp of the shutdown but not the user responsible for the shutdown
0 Kudos
Reply
Sampath_4
Occasional Advisor

тАО11-01-2005 06:23 PM

тАО11-01-2005 06:23 PM

Re: Shutdown LOG

shutdown.allow is blank ,but i have some users with UID 0, whether they will be able to shutdown the machine
0 Kudos
Reply
RAC_1
Honored Contributor

тАО11-01-2005 06:26 PM

тАО11-01-2005 06:26 PM

Re: Shutdown LOG

There might be different reason why server is getting shutdown. do you see anything in syslog.log, in /var/tombstones/ts99 or in dir /var/adm/crash??

Also do you any error with poer supplies. check it through GSP.
There is no substitute to HARDWORK
0 Kudos
Reply
RAC_1
Honored Contributor

тАО11-01-2005 06:33 PM

тАО11-01-2005 06:33 PM

Re: Shutdown LOG

Anybody with uid 0 will be able to shutdown. But this would get logged in shutdownlog, unless some edited it.

It is a bad idea and sysadmin practice to have many accounts with uid. you can check such accounts with logins -d command.
There is no substitute to HARDWORK
0 Kudos
Reply
Sampath_4
Occasional Advisor

тАО11-01-2005 06:48 PM

тАО11-01-2005 06:48 PM

Re: Shutdown LOG


There is no /var/tomstones/ts99.

/var/adm/crash doesnt have any dump in the latest date.It is not to abrupt shutdown it is getting shutdown using the reboot command . When i moved the /sbin/reboot to some other name , i am getting sh: reboot not found error in my console.


How to check the power supplies ? How to access GSP
0 Kudos
Reply
AwadheshPandey
Honored Contributor

тАО11-01-2005 06:51 PM

тАО11-01-2005 06:51 PM

Re: Shutdown LOG

uid 0 is reserve for root, this is a very bad practice to create such other ids with 0 ids, first change these ids with some other ids rather than system reserve ids ie 0-99,
if problem comes again then check any other issue.
syslog.log,
and /var/adm/crash for any new entry

Awadhesh
It's kind of fun to do the impossible
0 Kudos
Reply
Ranjith_5
Honored Contributor

тАО11-01-2005 07:04 PM

тАО11-01-2005 07:04 PM

Solution

Re: Shutdown LOG

Hi Sampath,

** Is this a shutdown / reboot?

** Look at /var/adm/syslog/OLDsyslog.log for the reason for shutdown/reboot. syslog.log will be copied to OLDsyslog.log during boot time.

** if you are not able to find the reason of shutdown from shutdownlog please see the time of last boot and see the users who logged on to the system during that time.

try the command

#last -R|more

** Use STM to verify the system health is in safe condition.

Regards,
Syam
Reply
Joseph Loo
Honored Contributor

тАО11-01-2005 07:11 PM

тАО11-01-2005 07:11 PM

Re: Shutdown LOG

hi,

as the rest have suggested, not really good practice to have multiple UID 0, but since u have done that...

anyway, do u keep .sh_history file on each user, u may examine that file of those user with UID 0. however, that user may also have clear the "shutdown" command line if he/she is clearing his/her tracks.

regards.
what you do not see does not mean you should not believe
0 Kudos
Reply
Sandman!
Honored Contributor

тАО11-01-2005 08:22 PM

тАО11-01-2005 08:22 PM

Re: Shutdown LOG

Check the following files/folders:

/var/adm/syslog.log
/var/adm/syslog/OLDsyslog.log
/var/adm/crash/
/etc/shutdownlog
/var/tombstones/ts99

Look for cron jobs that may be causing reboots. Create wrapper scripts for the reboot and shutdown utilities so that you are notified by e-mail whenever they are called.

regards!
0 Kudos
Reply
Arunvijai_4
Honored Contributor

тАО11-01-2005 08:30 PM

тАО11-01-2005 08:30 PM

Re: Shutdown LOG

Checking at /var/adm/syslog/syslog.log and revisiting any cronjobs running may also help you.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"
0 Kudos
Reply
MarkSyder
Honored Contributor

тАО11-01-2005 09:40 PM

тАО11-01-2005 09:40 PM

Re: Shutdown LOG

I suspect this is resolved as you've given a bunny, but just in case ...

Once you know what time the shutdown took place you can look in /var/adm/cron/log to see if any cron jobs ran immediately before.

MArk Syder (like the drink but spelt different)
The triumph of evil requires only that good men do nothing
0 Kudos
Reply
Sampath_4
Occasional Advisor

тАО11-02-2005 06:44 PM

тАО11-02-2005 06:44 PM

Re: Shutdown LOG

the problem seemed to be some user shutting the machine remotely . Since he is clearing all his tracks i couldnt able to trace the user.I have moved the shutdown and reboot files , then he used the init 0 . He got the tip , then he stopped doing it .Now i have wrapped the shutdown and reboot in to a script which will log the user information in some file so that i can trace him once he tries to do it again. thanks for all your valuable information.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.