How to check if someone switch off the machine ?

[wingcross]

Hello guys,

I had this one incident in the weekend, where a machine was shutdown, and caused the whole system to goes down as well.

I launch the last command and I got this list. can we deduce that someone use the main switch to switch the machine off wit the given list ?
Or can we check if someone issues the command shutdown -F or so on ?

Is there other ways to check ?
I need to investigate how the machine was shutdown.
I am a newbie to AIX. Grateful if someone could sheath some light here.

encina pts/1 du0a Nov 22 22:26 - 23:39 (01:12)
encina pts/0 cu0a Nov 22 22:25 - 22:40 (00:15)
root pts/0 du0a Nov 22 22:13 - 22:25 (00:11)
reboot ~ Nov 22 22:13
shutdown tty0 Nov 22 16:24
encina pts/0 cu0a Nov 22 16:19 - 16:20 (00:00)
root pts/0 mafa Nov 21 22:51 - 23:12 (00:21)
root pts/0 mafb Nov 19 19:10 - 09:33 (14:22)

 

[p5wizard]

You might want to try the error log:

[tt]errpt|more
errpt -a|more[/tt]

HTH,

p5wizard

 

[wingcross]

I got this
2BFA76F6 1122162409 T S SYSPROC SYSTEM SHUTDOWN BY USER

root@cua--/$ errpt -aj 2BFA76F6
---------------------------------------------------------------------------
LABEL: REBOOT_ID
IDENTIFIER: 2BFA76F6

Date/Time: Sun Nov 22 16:24:41
Sequence Number: 1261
Machine Id: 0005AF1F4C00
Node Id: cua
Class: S
Type: TEMP
Resource Name: SYSPROC

Description
SYSTEM SHUTDOWN BY USER

Probable Causes
SYSTEM SHUTDOWN

Detail Data
USER ID
0
0=SOFT IPL 1=HALT 2=TIME REBOOT
1
TIME TO REBOOT (FOR TIMED REBOOT ONLY)
0
root@cua--/$

I did some test on the testbed. With the command last, i dun think i can know whether the user switch off the machine or just issue the command shutdown -F.

 

[frenger]

Due tty0 issued the shutdown command you can be sure that the command was run on the local attaced console.
Errpt might tell you some more but information there is limited. There is a /etc/shutdown.log but that is only written when shutdown -l -<other optional Flags> is used. But even that log will not show you who was it ;-).

Cheers frenger

 

[wingcross]

Thanks guys,

I try to find this file shutdown.log but its not in the /etc.
The AIX version is 4.3.3. I guess maybe this version of AIX dun have the shutdown.log ?

 

[wingcross]

Frenger,
I also noticed, even if i manuall switch off the machine using the button, after reboot it, with command last, i can still see the tty0.

it shouldnt be tty0 then right since i use the button to off it. The machine is a 43P.

 

[frenger]

Sounds funny that your whole system depends on a single 43p?
Here some more forensic traces:
USER ID
0
0=SOFT IPL 1=HALT 2=TIME REBOOT
1
Means User was "root" and HALT means something like shutdown -Fr was done. If it were "0" a system dump would have been generated (soft ipl means dump force, normally by pressing the reset button, depends on the hardware what power switches are available).

Cheers frenger

 

[wingcross]

Frenger,

I did a test on a testbed 43P just now.

1st scenario : I press the button to off the machine.
2nd scenario : I issue shutdown -F.

but if you noticed, even with different method, both method still considered as HALT.

I appreciate your help. I could understand more.

Below is the results.

2BFA76F6 1125144309 T S SYSPROC SYSTEM SHUTDOWN BY USER
2BFA76F6 1125140609 T S SYSPROC SYSTEM SHUTDOWN BY USER

dbm0-root /etc> last | head -10
reboot ~ Nov 25 14:49
shutdown tty0 Nov 25 14:43
root pts/0 168.68.68.13 Nov 25 14:43 - 14:43 (00:00)
reboot ~ Nov 25 14:18
shutdown tty0 Nov 25 14:06
root pts/2 168.68.68.13 Nov 25 14:04 - 14:04 (00:00)
root ftp PC_13 Nov 25 13:26 - 13:41 (00:15)
root pts/2 168.68.68.13 Nov 25 12:32 - 14:04 (01:31)
root pts/3 PC_13 Nov 25 12:28 - 12:28 (00:00)
root pts/2 168.68.68.13 Nov 25 11:05 - 12:32 (01:27)


LABEL: REBOOT_ID
IDENTIFIER: 2BFA76F6


Date/Time: Wed Nov 25 14:43:44
Sequence Number: 3343
Machine Id: 009254E74C00
Node Id: dbm0
Class: S
Type: TEMP
Resource Name: SYSPROC


Description
SYSTEM SHUTDOWN BY USER


Probable Causes
SYSTEM SHUTDOWN


Detail Data
USER ID
0
0=SOFT IPL 1=HALT 2=TIME REBOOT
1
TIME TO REBOOT (FOR TIMED REBOOT ONLY)
0

------------------------------------------------------------------------------



LABEL: REBOOT_ID
IDENTIFIER: 2BFA76F6
Date/Time: Wed Nov 25 14:06:55
Sequence Number: 3323
Machine Id: 009254E74C00
Node Id: dbm0
Class: S
Type: TEMP
Resource Name: SYSPROC



Description
SYSTEM SHUTDOWN BY USER

Probable Causes
SYSTEM SHUTDOWN

Detail Data

USER ID
0
0=SOFT IPL 1=HALT 2=TIME REBOOT
1
TIME TO REBOOT (FOR TIMED REBOOT ONLY)
0

 

[MoreFeo]

You can search in .sh_history, to see if command shutdown was issued.