当前位置:首页 > 玩机 > 正文内容

linux 查看关机记录

adminis8个月前 (02-21)玩机3370

1. 使用last命令

查看重启记录
[root@localhost ~]# last | grep reboot
查看关机记录
[root@localhost ~]# last | grep shutdown

linux系统中last命令的用法

1.1 作用

linux系统中last命令的作用是显示近期用户或终端的登录情况,它的使用权限是所有用户。通过last命令查看该程序的log,管理员可以获知谁曾经或企图连接系统。

1.2 格式

last [-R] [-n][-f file][-t tty] [-h 节点][-I -IP][-1][-y][ID]

主要参数
-R: 省略 hostname 的栏位
-n:指定输出记录的条数。
-f file:指定用文件file作为查询用的log文件。
-t tty:只显示指定的虚拟控制台上登录情况。
-h 节点:只显示指定的节点上的登录情况。
-i IP:只显示指定的IP上登录的情况。
-1:用IP来显示远端地址。
-y:显示记录的年、月、日。
-ID:知道查询的用户名。
-x:显示系统关闭、用户登录和退出的历史。

示例:

[root@localhost ~]#last -R -2
user3 pts/1 Mon Aug 14 20:42 still logged in
user3 pts/0 Mon Aug 14 19:59 still logged in
wtmp begins Tue Aug 1 19:01:10 2007 ### /var/log/wtmp


[root@localhost ~]#last -2 user1
user1 pts/0 140.119.217.115 Mon Aug 14 18:37 - 18:40 (00:03)
user1 pts/0 140.119.217.115 Mon Aug 14 17:22 - 17:24 (00:02)
wtmp begins Tue Aug 1 19:01:10 2007

注意:
/var/log/wtmp
wtmpp文件是二进制文件,该日志文件永久记录每个用户登录、注销及系统的启动、停机的事件。因此随着系统正常运行时间的增加,该文件的大小也会越来越大,增加的速度取决于系统用户登录的次数。该日志文件可以用来查看用户的登录记录,last命令就通过访问这个文件获得这些信息,并以反序从后向前显示用户的登录记录,last也能根据用户、终端 tty或时间显示相应的记录

2.查看/var/log/messages日志

查看reboot (系统重启)
[root@localhost ~]# grep reboot /var/log/messages

查看halt(系统关机)记录
[root@localhost ~]# grep halt /var/log/messages

3. 使用Uptime命令查看

[root@localhost ~]# uptime
23:44:20 up 56 min, 2 users, load average: 0.04, 0.01, 0.00
Uptime显示了系统当前时间23:44:20,运行时间56 min,当前用户连接数为2,系统的负载。

4.使用w命令查看

[root@localhost ~]# w
 23:46:21 up 58 min,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/1    192.168.56.101   22:54   12:25   0.04s  0.04s -bash
root     pts/2    192.168.56.101   23:33    0.00s  0.13s  0.00s w

w比uptime显示的信息更加丰富了,除了显示了uptime的信息外,还显示了下列的信息:
user:显示登录的用户账号
TTY:用户登录所用的终端
FROM:显示用户在何处登录系统
Login@:显示何时登录系统
IDLE:表示用户空闲时间,从用户上一次任何结束后开始计时
JCPU : 终端代号来区分,表示在摸段时间内,所有与该终端相关的进程所消耗的cpu时间
PCPU:指what域的任务执行后消耗的cpu时间
What:表示当前执行的任务

5.使用who命令查看

[root@dg01 ~]# who
root     pts/1        2014-05-29 22:54 (192.168.56.101)
root     pts/2        2014-05-29 23:33 (192.168.56.101)

who显示登录系统的用户,输出的信息没有w全

6. 系统重启和关闭对应系统的后台日志输出信息

正常reboot时系统日志信息如下:

[root@localhost log]# reboot
[root@localhost log]# cd /var/log
[root@localhost log]# `less messages

May 29 22:47:08 localhost shutdown[3829]: shutting down for system reboot 
May 29 22:47:09 localhost smartd[3370]: smartd received signal 15: Terminated 
May 29 22:47:09 localhost smartd[3370]: smartd is exiting (exit status 0) 
May 29 22:47:09 localhost avahi-daemon[3298]: Got SIGTERM, quitting.
May 29 22:47:09 localhost avahi-daemon[3298]: Leaving mDNS multicast group on interface bond0.IPv6 with address fe80::a00:27ff:fea5:4e59.
May 29 22:47:09 localhost avahi-daemon[3298]: Leaving mDNS multicast group on interface bond0.IPv4 with address 192.168.56.110.
May 29 22:47:11 localhost xinetd[2957]: Exiting...
May 29 22:47:15 localhost hcid[2721]: Got disconnected from the system message bus
May 29 22:47:15 localhost multipathd: mpath1: stop event checker thread (1086806336) 
May 29 22:47:15 localhost multipathd: --------shut down------- 
May 29 22:47:16 localhost auditd[2538]: The audit daemon is exiting.
May 29 22:47:16 localhost kernel: type=1305 audit(1401418036.445:75): audit_pid=0 old=2538 auid=4294967295 ses=4294967295 res=1
May 29 22:47:16 localhost pcscd: pcscdaemon.c:572:signal_trap() Preparing for suicide
May 29 22:47:17 localhost pcscd: hotplug_libusb.c:376:HPRescanUsbBus() Hotplug stopped
May 29 22:47:17 localhost pcscd: readerfactory.c:1379:RFCleanupReaders() entering cleaning function
May 29 22:47:17 localhost pcscd: pcscdaemon.c:532:at_exit() cleaning /var/run
May 29 22:47:17 localhost kernel: Kernel logging (proc) stopped.
May 29 22:47:17 localhost kernel: Kernel log daemon terminating.
May 29 22:47:18 localhost exiting on signal 15

上面这部分是关于系统正常关闭的日志,看见很清晰的一行:

May 29 22:47:08 dg01 shutdown[3829]: shutting down for system reboot

May 29 22:48:34 dg01 syslogd 1.4.1: restart.
May 29 22:48:34 dg01 kernel: klogd 1.4.1, log source = /proc/kmsg started.
May 29 22:48:34 dg01 kernel: Initializing cgroup subsys cpuset
May 29 22:48:34 dg01 kernel: Initializing cgroup subsys cpu
May 29 22:48:34 dg01 kernel: Linux version 2.6.32-300.10.1.el5uek (mockbuild@ca-build56.us.oracle.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Wed Feb 22 17:37:40 EST 2012
May 29 22:48:34 dg01 kernel: Command line: ro root=LABEL=/ rhgb quiet
May 29 22:48:34 dg01 kernel: KERNEL supported cpus:
May 29 22:48:34 dg01 kernel:   Intel GenuineIntel
May 29 22:48:34 dg01 kernel:   AMD AuthenticAMD
May 29 22:48:34 dg01 kernel:   Centaur CentaurHauls
May 29 22:48:34 dg01 kernel: BIOS-provided physical RAM map:

上面这部分是启动正常重启的日志

shutdown -h now时输入信息如下:
[root@localhost log] shutdown -h now
重启开机后:

[root@localhost log]# cd /var/log
[root@localhost log]# less messages
May 29 23:53:45 localhost syslogd 1.4.1: restart.
May 30 04:02:29 localhost shutdown[7138]: shutting down for system halt
May 30 04:02:31 localhostsmartd[3338]: smartd received signal 15: Terminated 
May 30 04:02:31 localhost smartd[3338]: smartd is exiting (exit status 0) 
May 30 04:02:31 localhost avahi-daemon[3266]: Got SIGTERM, quitting.
May 30 04:02:31 localhost avahi-daemon[3266]: Leaving mDNS multicast group on interface bond0.IPv6 with address fe80::a00:27ff:fea5:4e59.
May 30 04:02:31 localhost avahi-daemon[3266]: Leaving mDNS multicast group on interface bond0.IPv4 with address 192.168.56.110.
May 30 04:02:33 localhost xinetd[2925]: Exiting...
May 30 04:02:37 localhost hcid[2689]: Got disconnected from the system message bus
May 30 04:02:37 localhost multipathd: mpath1: stop event checker thread (1075239232) 
May 30 04:02:37 localhost multipathd: --------shut down------- 
May 30 04:02:38 localhost auditd[2506]: The audit daemon is exiting.
May 30 04:02:38 localhost kernel: type=1305 audit(1401436958.027:326): audit_pid=0 old=2506 auid=4294967295 ses=4294967295 res=1
May 30 04:02:38 localhost pcscd: pcscdaemon.c:572:signal_trap() Preparing for suicide
May 30 04:02:38 localhost pcscd: hotplug_libusb.c:376:HPRescanUsbBus() Hotplug stopped
May 30 04:02:39 localhost pcscd: readerfactory.c:1379:RFCleanupReaders() entering cleaning function
May 30 04:02:39 localhost pcscd: pcscdaemon.c:532:at_exit() cleaning /var/run
May 30 04:02:39 localhost kernel: Kernel logging (proc) stopped.
May 30 04:02:39 localhost kernel: Kernel log daemon terminating.
May 30 04:02:40 localhost exiting on signal 15

其中
May 30 04:02:29 localhost shutdown[7138]: shutting down for system halt
表示是正常关机

而如果意外关机,输入日志中看不到正常关闭系统的信息,比如如下的日志信息:

May 25 04:03:02 APPServer4 syslogd 1.4.1: restart.
May 26 13:26:04 APPServer4 auditd[2985]: Audit daemon rotating log files
May 29 01:50:34 APPServer4 auditd[2985]: Audit daemon rotating log files
May 29 23:07:01 APPServer4 syslogd 1.4.1: restart.
May 29 23:07:01 APPServer4 kernel: klogd 1.4.1, log source = /proc/kmsg started.
May 29 23:07:01 APPServer4 kernel: Linux version 2.6.18-194.el5 (mockbuild@builder10.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-48)) #1 SMP Fri Apr 2 14:58:14 EDT 2010
May 29 23:07:01 APPServer4 kernel: Command line: ro root=LABEL=/ rhgb quiet
May 29 23:07:01 APPServer4 kernel: BIOS-provided physical RAM map:
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 0000000000010000 - 000000000009bc00 (usable)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 000000000009bc00 - 00000000000a0000 (reserved)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 00000000000e0000 - 0000000000100000 (reserved)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 0000000000100000 - 00000000cff4b480 (usable)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 00000000cff4b480 - 00000000cff57b40 (ACPI data)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 00000000cff57b40 - 00000000e0000000 (reserved)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)
May 29 23:07:01 APPServer4 kernel:  BIOS-e820: 0000000100000000 - 00000003b0000000 (usable)
May 29 23:07:01 APPServer4 kernel: DMI 2.4 present.

只能看到内核重启记录:
May 29 23:07:01 APPServer4 kernel: klogd 1.4.1, log source = /proc/kmsg started.
但是之前并没有输出任何正常关机的命令,这个就需要我们配合硬件日志来进行捕捉系统宕机原因了。

7. 查看计划任务

留意有没有与关机重启有关的计划
[root@localhost ~]# crontab -l

8.查看历史命令

留意用户曾经执行过的命令
[root@localhost ~]# history

有道云笔记 https://note.youdao.com/ynoteshare1/index.html?id=7c1a78c6ca6a4299770f1c3ba6b77046&type=note#/

第1条随机版权

扫描二维码推送至手机访问。

版权声明:本文由TranBon博客发布,如需转载请注明出处。

本文链接:http://bk.tranbon.com/?id=277

相关文章

Proxmox VE 子机被锁定、进行解锁

Proxmox VE 子机被锁定、进行解锁

Proxmox VE 子机被锁定如:备份、迁移 失败后,被锁定的解决方法如下: 如:子机ID为:166 开机、重启、关机、重置、回滚快照 提示:VM is locked (backup) (500)...

Linux日常使用工具

一:CentOS系统换硬盘,原封不动迁移数据,需要停止业务:这种操作,5400转的硬盘一般速度为20M/s,dd命令,是复制整个硬盘的大小,与客户数据多少无关这种操作我们一般不建议使用,因为时间很长,...

cnetos系统mysql配置my.cnf文件,跳过密码认证登录并设置远程登录(不一定有效)

cnetos系统mysql配置my.cnf文件,跳过密码认证登录并设置远程登录(不一定有效)

cnetos手动安装mysql没有my.cnf配置文件时, 1.可以从其它服务器把my.cnf文件拷贝到需要的服务器上,2.可以touch创建my.cnf文件 这边是直接使用touch命令my.c...

发表评论

访客

◎欢迎参与讨论,请在这里发表您的看法和观点。