who gave the last reboot command in ssh

tanveer · 08-14-2007, 03:05 AM

hi all,
Is there any way to know who gave the last reboot command whether remotely through ssh with IP or locally?

thanks in advance.

pwc101 · 08-14-2007, 03:50 AM

Have you checked the output of 'last'? It shows who logged on, when and at what times the machine was rebooted. If you use the -d switch, it should output the IP addresses of those who were remotely logged in. Check the man page for more info.

edit: I think what you may be looking for is:

Code:

last -d reboot

tanveer · 08-14-2007, 04:18 AM

Output:-

Code:

[root@phobos ~]# last -d reboot
reboot   system boot  0.0.0.0          Tue Aug 14 13:01          (02:06)
reboot   system boot  0.0.0.0          Sat Aug 11 15:58         (2+21:01)
reboot   system boot  0.0.0.0          Sat Aug 11 14:32          (01:23)
reboot   system boot  0.0.0.0          Sat Aug 11 14:16          (00:14)
reboot   system boot  0.0.0.0          Sat Aug 11 13:37          (00:37)
reboot   system boot  0.0.0.0          Sat Aug 11 13:32          (00:04)
reboot   system boot  0.0.0.0          Sat Aug 11 13:28          (00:02)
reboot   system boot  0.0.0.0          Sat Aug 11 13:25          (00:01)
reboot   system boot  0.0.0.0          Sat Aug 11 12:59          (00:24)
reboot   system boot  0.0.0.0          Sat Aug 11 09:38          (03:19)
reboot   system boot  0.0.0.0          Thu Aug  9 18:25         (1+15:00)
reboot   system boot  0.0.0.0          Thu Aug  9 16:25          (01:47)

wtmp begins Wed Aug  1 17:11:51 2007

Code:

[root@phobos ~]# last reboot
reboot   system boot  2.6.9-22.ELsmp   Tue Aug 14 13:01          (02:08)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 15:58         (2+21:01)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 14:32          (01:23)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 14:16          (00:14)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 13:37          (00:37)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 13:32          (00:04)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 13:28          (00:02)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 13:25          (00:01)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 12:59          (00:24)
reboot   system boot  2.6.9-22.ELsmp   Sat Aug 11 09:38          (03:19)
reboot   system boot  2.6.9-22.ELsmp   Thu Aug  9 18:25         (1+15:00)
reboot   system boot  2.6.9-22.ELsmp   Thu Aug  9 16:25          (01:47)

wtmp begins Wed Aug  1 17:11:51 2007

ZAMO · 08-14-2007, 04:22 AM

Dear pwc101,
Yes its works . But i got the following results.
reboot system boot 0.0.0.0 Tue Aug 14 14:08 (00:46)
reboot system boot 0.0.0.0 Tue Aug 14 12:31 (01:34)
reboot system boot 0.0.0.0 Tue Aug 14 11:04 (03:01)
reboot system boot 0.0.0.0 Mon Aug 13 15:10 (01:45)
reboot system boot 0.0.0.0 Mon Aug 13 08:42 (08:13)
reboot system boot 0.0.0.0 Sun Aug 12 20:28 (00:50)
No IP displayed. The top one i had restarted it through remote login. Please explain is there a way to find it out?

pwc101 · 08-14-2007, 04:50 AM

Try:

Code:

last -i reboot

tanveer · 08-14-2007, 06:49 AM

the output is same as last -d reboot

pwc101 · 08-14-2007, 06:52 AM

Sorry, no idea then.

edit: Have you checked your DNS server or /etc/hosts file is set up correctly?

tdbabar · 08-14-2007, 07:13 AM

'last' command shows the login usernames, not the commands.
You could check the history, but its difficult to makeout, what you need......

colucix · 08-14-2007, 07:46 AM

Actually, last report the boot up, not the shutdown. And since there is still not an active internet connection, nor a user logged in, it only reports the kernel which has initiated the boot process. This is why you see 0.0.0.0 when using the -d option.
On Redhat/Fedora you can have some information on who was logged in immediately before the shutdown looking at /var/log/message and /var/log/secure together. In /var/log/secure you will see messages like (if pam auth enabled):

Code:

Aug  1 08:41:23 server-2 su: pam_unix(su:session): session closed for user root
Aug  1 08:41:23 server-2 gdm[3124]: pam_unix(gdm:session): session closed for user palm

which tell you who was logged in at shutdown time, but not actually who performed the shutdown command.

yanik · 08-14-2007, 08:08 AM

I had a similar experience. But since I changed the root password and setup sudo. Sudo logs everything. I even set it up to send me an email when people use sudo.

Add this to sudoers

Code:

Defaults        mailto="you@yourdomain.com"
Defaults        mail_always
Defaults        log_year, logfile=/var/log/sudo.log

When someone uses sudo, I get an email like this one:

Quote:

pspfc : Aug 13 01:00:22 2007 : root : TTY=unknown ; PWD=/ ; USER=mgr ; COMMAND=/home/portfolio6/conv/jbascule

So you can see user mgr used sudo to execute /home/portfolio6/conv/jbascule on machine pspfc

To make sure they don't bypass sudo, I also added this to sudoers:

Code:

Cmnd_Alias      SHELLS = /bin/csh, /bin/jsh, /bin/ksh, /bin/pfcsh, /bin/pfksh, /bin/pfsh, /bin/rksh, /bin/rsh, /bin/sh, /bin/tcsh, /bin/zsh, /usr/bin/csh, /usr/bin/jsh, /usr/bin/ksh, /usr/bin/pfcsh, /usr/bin/pfksh, /usr/bin/pfsh, /usr/bin/rksh, /usr/bin/rsh, /usr/bin/sh, /usr/bin/tcsh, /usr/bin/zsh

%wheel  ALL=PASSWD:ALL, !SHELLS, PASSWD:/usr/bin/su [!-]*, !/usr/bin/passwd root, !/usr/bin/su root