How to find out the cause of Unix machine reboot?

Question:

f2000

2006-04-10 04:31:06 UTC

One of my SUN-Sparc server (with Solaris 8 installed on it) rebooted today. There is no indication in /var/adm/messages about the reason of this reboot ... I can just see the boot-up messages in it? Any idea on how the root cause could be determined?

Five answers:

morgan

2006-04-10 13:57:16 UTC

You mentioned looking in /var/adm/messages, but did you

check the "archived" versions of that file? In

particular, look one version back, at:

/var/adm/messages.0

Someone else mentioned "syslog", but I don't think that

the default location is in /var/adm/syslog. It is

configured by "/etc/syslog.conf", and I *think* the

default location is:

/var/log/syslog

One other suggestion was that your machine was hijacked.

I don't know your configuration or exposure, but

depending on your circumstances, maybe it would make

sense to scan for non-standard checksum in your system

files.

In the environment where *I* work, sophisticated hackers

are *far* less common than run-of-the-mill human errors

(as in, "Oh, when I rebooted, I forgot that I was

rlogin'd to your machine!"). To quickly check for those

"innocent" situations, a couple of likely places to look

are:

/var/adm/sulog

to see if someone su'd to root just before the reboot, or

to look at the output of

last

to look for a remote login as root (the remote machine

might give you a clue as to who was the culprit).

Obviously, these logs can be tweaked by someone intent on

installing some kind of malware, but they're a quick way

of checking for inadvertent botches.

IT MGR

2006-04-10 11:36:02 UTC

I see you have checked the messages log, did you try viewing the syslog. It might be a hardware related problem, any indication of this would be present in the syslog.

more /var/adm/syslog

atif

2006-04-17 09:21:27 UTC

several possible reasons:

- run history, last commands to check who were connected at the time of reboot and which commands were executed

- no hints in /var/adm/messages indicate, it was either power break-down or the file was overwritten later to remove some messages?

- run /usr/platform/sun4u/sbin/prtdiag -v to check any system failures

- check cron entries, configuration files, binanies for any possible hijack attempt. also monitor network traffic through snoop, netstat etc

- check syslogs in /var/log; also try to increase logging levels (/etc/syslog.conf). it might be helpful in future in troubleshooting problems

mammi

2006-04-13 06:48:36 UTC

Pls have a look at the following sites:

http://www.sun.com/bigadmin/home/index.html

http://sunsolve.sun.com

cheers

2006-04-10 11:37:21 UTC

It has probably been "Hijacked" by a hacker.

ⓘ

This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.

about - legalese