how to check if shutdown/halt has been executed

Dennis Comeaux dennis.comeaux at gmail.com
Thu Nov 11 15:00:56 UTC 2010 

Have you tried /var/log/messages?  I have notes in there about Kernel
logging stopping when it goes down.  If someone just gave the machine the
finger (hit the power button and held it down so it went down without an
ACPI poweroff call), then you won't have anything.  I think it may also be
recorded in /var/log/daemon.log on some installs.  However WHO requested it
may or may not be.

On Fri, Nov 5, 2010 at 5:05 AM, ESGLinux <esggrupos at gmail.com> wrote:

> Hi All,
>
> I have arrived today at work and I have found a RHEL 5 server poweroff.
>
> I want to know what has happened. So, I first want to know if someone has
> executed shutdown/halt/poweroff or any other command that can power off the
> machine,
>
> I have checked the messages file but I cant see nothing:
>
> Nov  4 12:24:34 www smartd[2097]: In the system's table of devices NO
> devices found to scan
> Nov  4 12:24:34 www smartd[2097]: Monitoring 0 ATA and 0 SCSI devices
> Nov  4 12:24:34 www smartd[2099]: smartd has fork()ed into background mode.
> New PID=2099.
> Nov  5 09:20:01 www syslogd 1.4.1: restart.
> Nov  5 09:20:02 www kernel: klogd 1.4.1, log source = /proc/kmsg started.
>
> at 09:20 I restart the machine.
>
> With the sar command I see this:
>
> 06:40:02 AM       all      0.10      0.00      0.08      0.48      0.01
> 99.33
> 06:50:01 AM       all      0.11      0.00      0.07      0.36      0.01
> 99.45
> 07:00:01 AM       all      0.13      0.00      0.07      0.80      0.01
> 98.98
> Average:          all      0.12      0.00      0.07      0.80      0.01
> 98.99
>
> 09:19:48 AM       LINUX RESTART
>
> 09:30:01 AM       CPU     %user     %nice   %system   %iowait    %steal
> %idle
> 09:40:01 AM       all      0.60      0.00      0.11      5.57      0.01
> 93.71
>
> So between 07:00 and 07:10 the system  goes down, but WHY???
>
> with the ausearch command I get this:
>
> ----
> time->Fri Nov  5 07:01:01 2010
> type=CRED_ACQ msg=audit(1288936861.670:3707): user pid=9601 uid=0
> auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> ----
> time->Fri Nov  5 07:01:01 2010
> type=LOGIN msg=audit(1288936861.670:3708): login pid=9601 uid=0 old
> auid=4294967295 new auid=0
> ----
> time->Fri Nov  5 07:01:01 2010
> type=USER_START msg=audit(1288936861.720:3709): user pid=9601 uid=0 auid=0
> msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
> ----
> time->Fri Nov  5 07:01:01 2010
> type=CRED_DISP msg=audit(1288936861.730:3710): user pid=9601 uid=0 auid=0
> msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
> terminal=cron res=success)'
> ----
> time->Fri Nov  5 07:01:01 2010
> type=USER_END msg=audit(1288936861.730:3711): user pid=9601 uid=0 auid=0
> msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?,
> addr=?, terminal=cron res=success)'
> ----
> time->Fri Nov  5 09:20:00 2010
> type=DAEMON_START msg=audit(1288945200.613:9651): auditd start, ver=1.7.17
> format=raw kernel=2.6.18.8-xen auid=4294967295 pid=1440 res=success
> ----
>
> If the systems goes down because of power failure or something strange, is
> there any way to check it?
>
> Thanks in advance
>
> ESG
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



-- 
"il n'y a pas de liberté s'il y a dépendance"
   --Theobalt

More information about the redhat-list mailing list