linux 查看关机记录
1. 使用last命令
查看重启记录
[root@localhost ~]# last | grep reboot
查看关机记录
[root@localhost ~]# last | grep shutdown
1.1 作用
linux系统中last命令的作用是显示近期用户或终端的登录情况,它的使用权限是所有用户。通过last命令查看该程序的log,管理员可以获知谁曾经或企图连接系统。
1.2 格式
last [-R] [-n][-f file][-t tty] [-h 节点][-I -IP][-1][-y][ID]
主要参数
-R: 省略 hostname 的栏位
-n:指定输出记录的条数。
-f file:指定用文件file作为查询用的log文件。
-t tty:只显示指定的虚拟控制台上登录情况。
-h 节点:只显示指定的节点上的登录情况。
-i IP:只显示指定的IP上登录的情况。
-1:用IP来显示远端地址。
-y:显示记录的年、月、日。
-ID:知道查询的用户名。
-x:显示系统关闭、用户登录和退出的历史。
示例: [root@localhost ~]#last -R -2 user3 pts/1 Mon Aug 14 20:42 still logged in user3 pts/0 Mon Aug 14 19:59 still logged in wtmp begins Tue Aug 1 19:01:10 2007 ### /var/log/wtmp [root@localhost ~]#last -2 user1 user1 pts/0 140.119.217.115 Mon Aug 14 18:37 - 18:40 (00:03) user1 pts/0 140.119.217.115 Mon Aug 14 17:22 - 17:24 (00:02) wtmp begins Tue Aug 1 19:01:10 2007
注意:
/var/log/wtmp
wtmpp文件是二进制文件,该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件。因此随着系统正常运行时间的增加,该文件的大小也会越来越大,增加的速度取决于系统用户登录的次数。该日志文件可以用来查看用户的登录记录,last命令就通过访问这个文件获得这些信息,并以反序从后向前显示用户的登录记录,last也能根据用户、终端 tty或时间显示相应的记录
2.查看/var/log/messages日志
查看reboot (系统重启)
[root@localhost ~]# grep reboot /var/log/messages
查看halt(系统关机)记录
[root@localhost ~]# grep halt /var/log/messages
3. 使用Uptime命令查看
[root@localhost ~]# uptime
23:44:20 up 56 min, 2 users, load average: 0.04, 0.01, 0.00
Uptime显示了系统当前时间23:44:20,运行时间56 min,当前用户连接数为2,系统的负载。
4.使用w命令查看
[root@localhost ~]# w 23:46:21 up 58 min, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/1 192.168.56.101 22:54 12:25 0.04s 0.04s -bash root pts/2 192.168.56.101 23:33 0.00s 0.13s 0.00s w
w比uptime显示的信息更加丰富了,除了显示了uptime的信息外,还显示了下列的信息:
user:显示登录的用户账号
TTY:用户登录所用的终端
FROM:显示用户在何处登录系统
Login@:显示何时登录系统
IDLE:表示用户空闲时间,从用户上一次任何结束后开始计时
JCPU : 终端代号来区分,表示在摸段时间内,所有与该终端相关的进程所消耗的cpu时间
PCPU:指what域的任务执行后消耗的cpu时间
What:表示当前执行的任务
5.使用who命令查看
[root@dg01 ~]# who root pts/1 2014-05-29 22:54 (192.168.56.101) root pts/2 2014-05-29 23:33 (192.168.56.101)
who显示登录系统的用户,输出的信息没有w全
6. 系统重启和关闭对应系统的后台日志输出信息
正常reboot时系统日志信息如下:
[root@localhost log]# reboot
[root@localhost log]# cd /var/log
[root@localhost log]# `less messages
May 29 22:47:08 localhost shutdown[3829]: shutting down for system reboot May 29 22:47:09 localhost smartd[3370]: smartd received signal 15: Terminated May 29 22:47:09 localhost smartd[3370]: smartd is exiting (exit status 0) May 29 22:47:09 localhost avahi-daemon[3298]: Got SIGTERM, quitting. May 29 22:47:09 localhost avahi-daemon[3298]: Leaving mDNS multicast group on interface bond0.IPv6 with address fe80::a00:27ff:fea5:4e59. May 29 22:47:09 localhost avahi-daemon[3298]: Leaving mDNS multicast group on interface bond0.IPv4 with address 192.168.56.110. May 29 22:47:11 localhost xinetd[2957]: Exiting... May 29 22:47:15 localhost hcid[2721]: Got disconnected from the system message bus May 29 22:47:15 localhost multipathd: mpath1: stop event checker thread (1086806336) May 29 22:47:15 localhost multipathd: --------shut down------- May 29 22:47:16 localhost auditd[2538]: The audit daemon is exiting. May 29 22:47:16 localhost kernel: type=1305 audit(1401418036.445:75): audit_pid=0 old=2538 auid=4294967295 ses=4294967295 res=1 May 29 22:47:16 localhost pcscd: pcscdaemon.c:572:signal_trap() Preparing for suicide May 29 22:47:17 localhost pcscd: hotplug_libusb.c:376:HPRescanUsbBus() Hotplug stopped May 29 22:47:17 localhost pcscd: readerfactory.c:1379:RFCleanupReaders() entering cleaning function May 29 22:47:17 localhost pcscd: pcscdaemon.c:532:at_exit() cleaning /var/run May 29 22:47:17 localhost kernel: Kernel logging (proc) stopped. May 29 22:47:17 localhost kernel: Kernel log daemon terminating. May 29 22:47:18 localhost exiting on signal 15
上面这部分是关于系统正常关闭的日志,看见很清晰的一行:
May 29 22:47:08 dg01 shutdown[3829]: shutting down for system reboot May 29 22:48:34 dg01 syslogd 1.4.1: restart. May 29 22:48:34 dg01 kernel: klogd 1.4.1, log source = /proc/kmsg started. May 29 22:48:34 dg01 kernel: Initializing cgroup subsys cpuset May 29 22:48:34 dg01 kernel: Initializing cgroup subsys cpu May 29 22:48:34 dg01 kernel: Linux version 2.6.32-300.10.1.el5uek ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Wed Feb 22 17:37:40 EST 2012 May 29 22:48:34 dg01 kernel: Command line: ro root=LABEL=/ rhgb quiet May 29 22:48:34 dg01 kernel: KERNEL supported cpus: May 29 22:48:34 dg01 kernel: Intel GenuineIntel May 29 22:48:34 dg01 kernel: AMD AuthenticAMD May 29 22:48:34 dg01 kernel: Centaur CentaurHauls May 29 22:48:34 dg01 kernel: BIOS-provided physical RAM map:
上面这部分是启动正常重启的日志
shutdown -h now时输入信息如下:
[root@localhost log] shutdown -h now
重启开机后:
[root@localhost log]# cd /var/log [root@localhost log]# less messages May 29 23:53:45 localhost syslogd 1.4.1: restart. May 30 04:02:29 localhost shutdown[7138]: shutting down for system halt May 30 04:02:31 localhostsmartd[3338]: smartd received signal 15: Terminated May 30 04:02:31 localhost smartd[3338]: smartd is exiting (exit status 0) May 30 04:02:31 localhost avahi-daemon[3266]: Got SIGTERM, quitting. May 30 04:02:31 localhost avahi-daemon[3266]: Leaving mDNS multicast group on interface bond0.IPv6 with address fe80::a00:27ff:fea5:4e59. May 30 04:02:31 localhost avahi-daemon[3266]: Leaving mDNS multicast group on interface bond0.IPv4 with address 192.168.56.110. May 30 04:02:33 localhost xinetd[2925]: Exiting... May 30 04:02:37 localhost hcid[2689]: Got disconnected from the system message bus May 30 04:02:37 localhost multipathd: mpath1: stop event checker thread (1075239232) May 30 04:02:37 localhost multipathd: --------shut down------- May 30 04:02:38 localhost auditd[2506]: The audit daemon is exiting. May 30 04:02:38 localhost kernel: type=1305 audit(1401436958.027:326): audit_pid=0 old=2506 auid=4294967295 ses=4294967295 res=1 May 30 04:02:38 localhost pcscd: pcscdaemon.c:572:signal_trap() Preparing for suicide May 30 04:02:38 localhost pcscd: hotplug_libusb.c:376:HPRescanUsbBus() Hotplug stopped May 30 04:02:39 localhost pcscd: readerfactory.c:1379:RFCleanupReaders() entering cleaning function May 30 04:02:39 localhost pcscd: pcscdaemon.c:532:at_exit() cleaning /var/run May 30 04:02:39 localhost kernel: Kernel logging (proc) stopped. May 30 04:02:39 localhost kernel: Kernel log daemon terminating. May 30 04:02:40 localhost exiting on signal 15
其中May 30 04:02:29 localhost shutdown[7138]: shutting down for system halt
表示是正常关机
而如果意外关机,输入日志中看不到正常关闭系统的信息,比如如下的日志信息:
May 25 04:03:02 APPServer4 syslogd 1.4.1: restart. May 26 13:26:04 APPServer4 auditd[2985]: Audit daemon rotating log files May 29 01:50:34 APPServer4 auditd[2985]: Audit daemon rotating log files May 29 23:07:01 APPServer4 syslogd 1.4.1: restart. May 29 23:07:01 APPServer4 kernel: klogd 1.4.1, log source = /proc/kmsg started. May 29 23:07:01 APPServer4 kernel: Linux version 2.6.18-194.el5 (mockbuild@builder10.Centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Fri Apr 2 14:58:14 EDT 2010 May 29 23:07:01 APPServer4 kernel: Command line: ro root=LABEL=/ rhgb quiet May 29 23:07:01 APPServer4 kernel: BIOS-provided physical RAM map: May 29 23:07:01 APPServer4 kernel: BIOS-e820: 0000000000010000 - 000000000009bc00 (usable) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 000000000009bc00 - 00000000000a0000 (reserved) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 0000000000100000 - 00000000cff4b480 (usable) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 00000000cff4b480 - 00000000cff57b40 (ACPI data) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 00000000cff57b40 - 00000000e0000000 (reserved) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved) May 29 23:07:01 APPServer4 kernel: BIOS-e820: 0000000100000000 - 00000003b0000000 (usable) May 29 23:07:01 APPServer4 kernel: DMI 2.4 present.
只能看到内核重启记录:May 29 23:07:01 APPServer4 kernel: klogd 1.4.1, log source = /proc/kmsg started.
但是之前并没有输出任何正常关机的命令,这个就需要我们配合硬件日志来进行捕捉系统宕机原因了。
7. 查看计划任务
留意有没有与关机重启有关的计划
[root@localhost ~]# crontab -l
8.查看历史命令
留意用户曾经执行过的命令
[root@localhost ~]# history
有道云笔记 https://note.youdao.com/ynoteshare/index.html?id=7c1a78c6ca6a4299770f1c3ba6b77046
