From owner-freebsd-questions@FreeBSD.ORG Sat Mar 4 17:42:56 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7836116A420 for ; Sat, 4 Mar 2006 17:42:56 +0000 (GMT) (envelope-from kdgrills@the-grills.com) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [63.240.77.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07F3F43D46 for ; Sat, 4 Mar 2006 17:42:55 +0000 (GMT) (envelope-from kdgrills@the-grills.com) Received: from srv1.the-grills.com (c-71-57-60-59.hsd1.il.comcast.net[71.57.60.59]) by comcast.net (sccrmhc14) with SMTP id <2006030417425401400e6281e>; Sat, 4 Mar 2006 17:42:54 +0000 Received: (qmail 19892 invoked by uid 1001); 4 Mar 2006 17:42:49 -0000 Date: Sat, 4 Mar 2006 11:42:49 -0600 From: "Kelly D. Grills" To: freebsd-questions@freebsd.org Message-ID: <20060304174236.GA752@the-grills.com> Mail-Followup-To: freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline In-Reply-To: X-Operating-System: FreeBSD/6.0-RELEASE (i386) X-PGP-Key: mailto:kdgrills-pgpkey@the-grills.com User-Agent: Mutt/1.5.11 Subject: Re: How to figure out who shutdown box X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Mar 2006 17:42:56 -0000 --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 04, 2006 at 10:24:17AM -0500, Jon Poland wrote: >=20 > Hi, > I operate a colo box running FreeBSD 6.0-SECURITY. Yesterday the box > shutdown and powered off. I didn't execute shutdown or halt, and I'm the > only user who can. Here's what the logs tell me: >=20 > /var/log/console.log: > Mar 3 11:24:29 kmart kernel: Shutting down daemon processes: >=20 > /var/log/messages: > Mar 3 11:24:38 kmart syslogd: exiting on signal 15 >=20 > last: (the important lines) > reboot ~ Fri Mar 3 13:10 > shutdown ~ Fri Mar 3 11:24 >=20 > I don't see anything in any of the logs like "rebooted by X", etc. >=20 > I'm not exactly sure how this can happen and looking for ideas. >=20 Where are you logging security messages? I believe the default is to /var/log/security Have a look at /etc/syslog.conf and syslog.conf(5) You should see messages such as this in your security log: Mar 1 15:21:38 srv1 shutdown: reboot by kdgrills: --=20 Kelly D. Grills kdgrills@the-grills.com --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) Comment: PGP key: mailto:kdgrills-pgpkey@the-grills.com iD8DBQFECdGL7inS5LzF7HMRAp+zAJ9rY7hERk+0hMq0DzMWF7l80aBVYQCbBgyu aahgD3gJnINDqeJLphsg4Vg= =SA4k -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24--