On a Linux machine that runs systemd, is there any way to see what or who issued a shutdown or reboot?
Add a comment |
2 Answers
Examine the system logs of the previous boot with sudo journalctl -b -1 -e.
Examine /var/log/auth.log.
Are you sure it's not one of "power interruption/spike", "CPU overheat", ....
On MY system (Ubuntu 16.04,6),
sudo journalctl | grep shutdown Jan 29 12:58:07 bat sudo[14365]: walt : TTY=pts/0 ; PWD=/home/walt ; USER=root ; COMMAND=/sbin/shutdown now Feb 12 11:23:59 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service. Feb 19 09:35:18 bat ureadahead[437]: ureadahead:lxqt-session_system-shutdown.png: Ignored relative path Feb 19 09:35:18 bat ureadahead[437]: ureadahead:gshutdown_gshutdown.png: Ignored relative path Feb 19 09:35:18 bat ureadahead[437]: ureadahead:mate-gnome-main-menu-applet_system-shutdown.png: Ignored relative path Feb 27 16:45:40 bat systemd-shutdown[1]: Sending SIGTERM to remaining processes... Mar 05 17:53:27 bat systemd-shutdown[1]: Sending SIGTERM to remaining processes... Mar 15 09:57:45 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service. Mar 21 17:40:30 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service. Apr 15 18:16:37 bat systemd[1]: Stopped Ubuntu core (all-snaps) system shutdown helper setup service. ... The first line shows when user walt did a sudo shutdown now.
- 1I don't think logs from journalctl or auth.log contain who issued shutdown/rebootHieu Huynh– Hieu Huynh2019-12-19 02:43:50 +00:00Commented Dec 19, 2019 at 2:43
- ah... see it.
Dec 18 16:27:36 personal sudo[915]: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/sbin/rebootHieu Huynh– Hieu Huynh2019-12-19 09:00:47 +00:00Commented Dec 19, 2019 at 9:00
In short, only root user or root privileged users can shutdown/reboot a system.
- Running
last -xcommand for finding timestamp of actions
root@personal:~# last -x ubuntu pts/0 116.102.181.245 Wed Dec 18 16:28 still logged in runlevel (to lvl 5) 4.15.0-1047-aws Wed Dec 18 16:27 still running reboot system boot 4.15.0-1047-aws Wed Dec 18 16:27 still running shutdown system down 4.15.0-1047-aws Wed Dec 18 16:27 - 16:27 (00:00) ubuntu pts/0 116.102.181.245 Wed Dec 18 16:25 - 16:27 (00:02) runlevel (to lvl 5) 4.15.0-1047-aws Wed Dec 18 16:24 - 16:27 (00:03) - On
last -xresult, find some recently logged users, switch to that & check history then
root@personal:~# su - ubuntu ubuntu@personal:~$ history 10 312 dig @1.1.1.1 xxx +short 313 dig @8.8.8.8 xxx +short 314 dig @8.8.4.4 xxx +short 315 exit 316 sudo su - 317 sudo reboot 318 sudo su - 319 history 320 last -x 321 history 10 - OR check logs from
journalctl
root@personal:~# journalctl | grep reboot Sep 05 03:07:04 ip-172-31-36-28 cron[710]: (CRON) INFO (Running @reboot jobs) Sep 05 13:49:11 personal python3[21347]: ansible-command Invoked with _raw_params=sleep 10 && reboot _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes=None stdin=None Sep 05 13:51:23 personal python3[22042]: ansible-command Invoked with _raw_params=sleep 10 && reboot _uses_shell=True warn=True stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes=None stdin=None Sep 05 13:54:21 personal systemd-logind[715]: System is rebooting (Reboot initiated by Ansible). Sep 05 13:54:36 personal cron[573]: (CRON) INFO (Running @reboot jobs) Dec 18 16:24:30 personal cron[651]: (CRON) INFO (Running @reboot jobs) Dec 18 16:27:36 personal sudo[915]: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu ; USER=root ; COMMAND=/sbin/reboot Dec 18 16:27:54 personal cron[641]: (CRON) INFO (Running @reboot jobs) BTW, you can check more at these links:
- 2"In short, only root user or root privileged users can shutdown/reboot a system" is 100% wrong. A simple press on the power button can shutdown a computer (if not disabled), and ctrl+alt+del also (if not disabled), and most distros allows any GUI users to shutdown/reboot without being root or having any special privileges beside this one.Gregory MOUSSAT– Gregory MOUSSAT2021-11-01 00:00:47 +00:00Commented Nov 1, 2021 at 0:00