Grant Peel wrote:
Hi all,I started getting watchmouse errors about on pf my servers not responding. There is a DRAC on the machine, and the sensor data was all good. When I got the machine back up and running, I seen this in lastlog:client1 ftp hostname1here Wed Sep 17 17:02 - shutdown (00:46) client2 ftp hostname2here Wed Sep 17 17:02 - shutdown (00:46) client2 ftp hostname2here Wed Sep 17 17:02 - shutdown (00:46)client3 ftp hostname3here Wed Sep 17 17:01 - 17:06 (00:04) Should I be worried about seeing 'shutdown' in an ftp line of last?
That just means the ftp user was still logged in at the time the system shut down.
If not, how would you suggest I find the process or program that issued the shutdown command?
Read the system logs, basically. /var/log/messages or /var/log/all.log (if you've enabled it). The shutdown(8) command will always write syslog messages when invoked. halt(8) or reboot(8) will write a 'shutdown' record into wtmp (ie. look at 'last shutdown') but don't log anything to syslog. However, you're quite likely to find that there is nothing in the log or wtmp files to explain what happened. All this means is that the system went down suddenly -- perhaps power dropped out momentarily, ora thermal cutout tripped or the system panic'd for one of any number of reasons. You'ld be able to detect log file traces showing fsck(8)
being run on the root f/s following any of those sort of unclean shutdowns, and
if the system panic'd then you may well have a core dump sitting in
/var/db/crash -- depends whether you've enabled that functionality or not.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
