Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Have you checked the output of 'last'? It shows who logged on, when and at what times the machine was rebooted. If you use the -d switch, it should output the IP addresses of those who were remotely logged in. Check the man page for more info.
[root@phobos ~]# last -d reboot
reboot system boot 0.0.0.0 Tue Aug 14 13:01 (02:06)
reboot system boot 0.0.0.0 Sat Aug 11 15:58 (2+21:01)
reboot system boot 0.0.0.0 Sat Aug 11 14:32 (01:23)
reboot system boot 0.0.0.0 Sat Aug 11 14:16 (00:14)
reboot system boot 0.0.0.0 Sat Aug 11 13:37 (00:37)
reboot system boot 0.0.0.0 Sat Aug 11 13:32 (00:04)
reboot system boot 0.0.0.0 Sat Aug 11 13:28 (00:02)
reboot system boot 0.0.0.0 Sat Aug 11 13:25 (00:01)
reboot system boot 0.0.0.0 Sat Aug 11 12:59 (00:24)
reboot system boot 0.0.0.0 Sat Aug 11 09:38 (03:19)
reboot system boot 0.0.0.0 Thu Aug 9 18:25 (1+15:00)
reboot system boot 0.0.0.0 Thu Aug 9 16:25 (01:47)
wtmp begins Wed Aug 1 17:11:51 2007
Code:
[root@phobos ~]# last reboot
reboot system boot 2.6.9-22.ELsmp Tue Aug 14 13:01 (02:08)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 15:58 (2+21:01)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 14:32 (01:23)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 14:16 (00:14)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 13:37 (00:37)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 13:32 (00:04)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 13:28 (00:02)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 13:25 (00:01)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 12:59 (00:24)
reboot system boot 2.6.9-22.ELsmp Sat Aug 11 09:38 (03:19)
reboot system boot 2.6.9-22.ELsmp Thu Aug 9 18:25 (1+15:00)
reboot system boot 2.6.9-22.ELsmp Thu Aug 9 16:25 (01:47)
wtmp begins Wed Aug 1 17:11:51 2007
Dear pwc101,
Yes its works . But i got the following results.
reboot system boot 0.0.0.0 Tue Aug 14 14:08 (00:46)
reboot system boot 0.0.0.0 Tue Aug 14 12:31 (01:34)
reboot system boot 0.0.0.0 Tue Aug 14 11:04 (03:01)
reboot system boot 0.0.0.0 Mon Aug 13 15:10 (01:45)
reboot system boot 0.0.0.0 Mon Aug 13 08:42 (08:13)
reboot system boot 0.0.0.0 Sun Aug 12 20:28 (00:50)
No IP displayed. The top one i had restarted it through remote login. Please explain is there a way to find it out?
Actually, last report the boot up, not the shutdown. And since there is still not an active internet connection, nor a user logged in, it only reports the kernel which has initiated the boot process. This is why you see 0.0.0.0 when using the -d option.
On Redhat/Fedora you can have some information on who was logged in immediately before the shutdown looking at /var/log/message and /var/log/secure together. In /var/log/secure you will see messages like (if pam auth enabled):
Code:
Aug 1 08:41:23 server-2 su: pam_unix(su:session): session closed for user root
Aug 1 08:41:23 server-2 gdm[3124]: pam_unix(gdm:session): session closed for user palm
which tell you who was logged in at shutdown time, but not actually who performed the shutdown command.
I had a similar experience. But since I changed the root password and setup sudo. Sudo logs everything. I even set it up to send me an email when people use sudo.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.