How to figure out who shutdown box (Kelly D. Grills)

[Daniel]

On 3/6/06, Jon Poland <polandj at monkey.org> wrote:
> For me, those show up in /var/log/messages:
> Jan 17 22:54:23 kmart reboot: rebooted by polandj
>
> But nothing for the particular shutdown in question...
>
> - JP
>
> On Sat, Mar 04, 2006 at 10:24:17AM -0500, Jon Poland wrote:
> >>
> >> Hi,
> >>   I operate a colo box running FreeBSD 6.0-SECURITY.  Yesterday the box
> >> shutdown and powered off.  I didn't execute shutdown or halt, and I'm
> >the
> >> only user who can.  Here's what the logs tell me:
> >>
> >> /var/log/console.log:
> >> Mar  3 11:24:29 kmart kernel: Shutting down daemon processes:
> >>
> >> /var/log/messages:
> >> Mar  3 11:24:38 kmart syslogd: exiting on signal 15
> >>
> >> last: (the important lines)
> >> reboot           ~                         Fri Mar  3 13:10
> >> shutdown         ~                         Fri Mar  3 11:24
> >>
> >> I don't see anything in any of the logs like "rebooted by X", etc.
> >>
> >> I'm not exactly sure how this can happen and looking for ideas.
> >>
> >
> > Where are you logging security messages? I believe the default is to
> > /var/log/security
> >
> > Have a look at /etc/syslog.conf and syslog.conf(5)
> >
> > You should see messages such as this in your security log:
> > Mar  1 15:21:38 srv1 shutdown: reboot by kdgrills:
>
Other than checking the logfiles, checking for crash dumps, reading
the dmesg and seeing if the disks were unmounted cleanly, if they
weren't then it indicates the system may have crashed. If they were
clean unmounts then some kind of process interaction may have caused
the shutdown.

Try turning on process accounting:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-accounting.html

It effectively logs all commands issued, and from this you could
effectively figure out what is going on at certain times with more
clarity and less guess work.

Jal.