Date: Thu, 18 Sep 2008 13:01:42 +0330 From: "H.fazaeli" <fazaeli@sepehrs.com> To: Grant Peel <gpeel@thenetnow.com> Cc: freebsd-questions@freebsd.org Subject: Re: Mystical Server Shutdown. Message-ID: <48D21FFE.5090109@sepehrs.com> In-Reply-To: <48D1FEB0.6060903@infracaninophile.co.uk> References: <FD15F879D39E42B3BCF6CCD3F809571A@GRANT> <48D1FEB0.6060903@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
If you applied all the Matthew's suggestions and it is still a mystery, and if server's shutdown is clean, look for a a (buggy) user land process that sends SIGUSR2 signal to init(1). Matthew Seaman wrote: > Grant Peel wrote: >> Hi all, >> >> I started getting watchmouse errors about on pf my servers not >> responding. There is a DRAC on the machine, and the sensor data was >> all good. When I got the machine back up and running, I seen this in >> lastlog: >> >> client1 ftp hostname1here Wed Sep 17 17:02 - shutdown >> (00:46) >> client2 ftp hostname2here Wed Sep 17 17:02 - shutdown >> (00:46) >> client2 ftp hostname2here Wed Sep 17 17:02 - shutdown >> (00:46) >> client3 ftp hostname3here Wed Sep 17 17:01 - 17:06 >> (00:04) >> >> >> Should I be worried about seeing 'shutdown' in an ftp line of last? > > That just means the ftp user was still logged in at the time the > system shut down. > >> If not, how would you suggest I find the process or program that >> issued the shutdown command? > > Read the system logs, basically. /var/log/messages or /var/log/all.log > (if you've enabled it). The shutdown(8) command will always write > syslog messages when invoked. halt(8) or reboot(8) will write a > 'shutdown' > record into wtmp (ie. look at 'last shutdown') but don't log anything > to syslog. > > However, you're quite likely to find that there is nothing in the log > or wtmp files to explain what happened. All this means is that the > system went down suddenly -- perhaps power dropped out momentarily, or > a thermal cutout tripped or the system panic'd for one of any number > of reasons. You'ld be able to detect log file traces showing fsck(8) > being run on the root f/s following any of those sort of unclean > shutdowns, and if the system panic'd then you may well have a core > dump sitting in /var/db/crash -- depends whether you've enabled that > functionality or not. > > Cheers, > > Matthew > -- Best regards. Hooman Fazaeli <hf@sepehrs.com> Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D21FFE.5090109>