Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

backtracking users 1

Status
Not open for further replies.
visvid

visvid

Technical User
Jun 3, 2002
131
GB
Hi wonder if anyone can help

I have been asked to investgate why one of our boxes crashed on the 6th August. I have checked the following

errpt -a

var/adm/cluster

/tmp/hacmp.out

I have tried to read the wtmp file by who wtmp | pg , but unsure how i can sort for a date, I have tried awk , but it did not work.

I have checked the /etc/failed/login , but I am sure it was on of our operators, so they root access , the .sh_history gives me zip, they have to login either with their loginid and securid or we have a generic login...( not good )


So I know the box crashed at 15:45 on 6 Aug , but i need to know who logged on before and what commands were issused.


Any ideas ?

ps great web-site
 
Sort by date Sort by votes
Hi

Is your Machine Crashed with a Dump ?
Check
sysdumpdev -L
to see the last written Dump to the Dump-Device.
Are there any core-files on this date. check with:
strings core ¦ grep =_
Did you have cleared yor Errorlog ? can you restore the errorlog file ?

you can lock at the following Commands. last root, lastlog, history.
Check also the sulog-file.
 
Upvote 0 Downvote
ok, i will investigate and come back
 
Upvote 0 Downvote
Try `last` command:

>last
user pts/0 host.com Aug 15 11:17 still logged in.
user pts/1 host.com Aug 15 11:16 - 11:17 (00:01)

Prints from most recent to oldest, you can awk or grep the output. IBM Certified -- AIX 4.3 Obfuscation
 
Upvote 0 Downvote
Hi!!
In may opinion, If you got HACMP environments in your boxs,
maybe crashed by DMS or DGSP not a user
If you want to know correctly symton, make an analysis of
your dump file.
sorry for bed english
thank & regards
 
Upvote 0 Downvote
Hi,

follwoing on to what risc6k has said ,
Did the services failover onto your other node sucessfully?
What is reported in your /tmp/hacmp.out /var/adm/cluster.log
at the time of the crash ?
 
Upvote 0 Downvote
sysdumpdev -L

Device name: /dev/hd7
Major device number: 10
Minor device number: 10
Size: 18153472 bytes
Date/Time: Tue 6 Aug 15:20:24 2002
Dump status: -3
dump crashed or did not start


Then did as you mentioned

strings core | grep 6 ( guess 6 as it was the date it crashed ? Nothing did return )

last root , guess I have been away to long, as the only dates are 19th/20 th Aug


Nothing in hacmp.out , from cluster.log it shows:

Aug 6 15:11:20 xxxxx clstrmgr[14428]: Folk fails.

Sorry by accident I emptied the last , instead of >> to file , any idea how to recover or do i need to restore from tape ?


Cheers

visivd

 
Upvote 0 Downvote
Hi

Make a FS /gugus
dd if=/dev/hd7 of=/gugus/dumpfile

You can Analyse the Dump with the Crash Command

crash /gugus/dumpfile
The Summcommands are in the IBM Redbook "Problem Determination"
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

macrun95
  • Locked
  • Question
Bypassing /etc/nologin for specific users
Replies
1
Views
129
AIXLogician
AIXLogician
Enfors
  • Locked
  • Question
Allow non-root user to administer users
Replies
2
Views
199
Enfors
Enfors
flpgdt
  • Locked
  • Question
ssh many users to one home
Replies
1
Views
64
juredd1
juredd1
holdahl
  • Locked
  • Question
copy /home and users
Replies
3
Views
90
holdahl
holdahl
trifo
  • Locked
  • Question
set up AIX audit on ALL users
Replies
1
Views
84
trifo
trifo

Part and Inventory Search

Sponsor

Back
Top