Have you tried /var/log/messages? I have notes in there about Kernel logging stopping when it goes down. If someone just gave the machine the finger (hit the power button and held it down so it went down without an ACPI poweroff call), then you won't have anything. I think it may also be recorded in /var/log/daemon.log on some installs. However WHO requested it may or may not be. On Fri, Nov 5, 2010 at 5:05 AM, ESGLinux <esggrupos@xxxxxxxxx> wrote: > Hi All, > > I have arrived today at work and I have found a RHEL 5 server poweroff. > > I want to know what has happened. So, I first want to know if someone has > executed shutdown/halt/poweroff or any other command that can power off the > machine, > > I have checked the messages file but I cant see nothing: > > Nov 4 12:24:34 www smartd[2097]: In the system's table of devices NO > devices found to scan > Nov 4 12:24:34 www smartd[2097]: Monitoring 0 ATA and 0 SCSI devices > Nov 4 12:24:34 www smartd[2099]: smartd has fork()ed into background mode. > New PID=2099. > Nov 5 09:20:01 www syslogd 1.4.1: restart. > Nov 5 09:20:02 www kernel: klogd 1.4.1, log source = /proc/kmsg started. > > at 09:20 I restart the machine. > > With the sar command I see this: > > 06:40:02 AM all 0.10 0.00 0.08 0.48 0.01 > 99.33 > 06:50:01 AM all 0.11 0.00 0.07 0.36 0.01 > 99.45 > 07:00:01 AM all 0.13 0.00 0.07 0.80 0.01 > 98.98 > Average: all 0.12 0.00 0.07 0.80 0.01 > 98.99 > > 09:19:48 AM LINUX RESTART > > 09:30:01 AM CPU %user %nice %system %iowait %steal > %idle > 09:40:01 AM all 0.60 0.00 0.11 5.57 0.01 > 93.71 > > So between 07:00 and 07:10 the system goes down, but WHY??? > > with the ausearch command I get this: > > ---- > time->Fri Nov 5 07:01:01 2010 > type=CRED_ACQ msg=audit(1288936861.670:3707): user pid=9601 uid=0 > auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > ---- > time->Fri Nov 5 07:01:01 2010 > type=LOGIN msg=audit(1288936861.670:3708): login pid=9601 uid=0 old > auid=4294967295 new auid=0 > ---- > time->Fri Nov 5 07:01:01 2010 > type=USER_START msg=audit(1288936861.720:3709): user pid=9601 uid=0 auid=0 > msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, > addr=?, terminal=cron res=success)' > ---- > time->Fri Nov 5 07:01:01 2010 > type=CRED_DISP msg=audit(1288936861.730:3710): user pid=9601 uid=0 auid=0 > msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, > terminal=cron res=success)' > ---- > time->Fri Nov 5 07:01:01 2010 > type=USER_END msg=audit(1288936861.730:3711): user pid=9601 uid=0 auid=0 > msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, > addr=?, terminal=cron res=success)' > ---- > time->Fri Nov 5 09:20:00 2010 > type=DAEMON_START msg=audit(1288945200.613:9651): auditd start, ver=1.7.17 > format=raw kernel=2.6.18.8-xen auid=4294967295 pid=1440 res=success > ---- > > If the systems goes down because of power failure or something strange, is > there any way to check it? > > Thanks in advance > > ESG > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- "il n'y a pas de libertà s'il y a dÃpendance" --Theobalt -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list