Mystical Server Shutdown.

Grant Peel gpeel at thenetnow.com
Fri Sep 19 00:52:51 UTC 2008 

Hi H, and Matt, and all,

I had instigated all.log, and here is what happened at 04:08 EDT this 
morning...any clues you see here?

...
Sep 18 04:04:08 defiant named[601]: unexpected RCODE (SERVFAIL) resolving 
'examplewhole.com/NS/IN': 192.168.0.3#53
Sep 18 04:08:14 defiant syslogd: restart
Sep 18 04:08:14 defiant syslogd: kernel boot file is /boot/kernel/kernel
Sep 18 04:08:14 defiant kernel: Copyright (c) 1992-2007 The FreeBSD Project.
...

Lastlog shows nothing of note...


mssclien         ftp      bas7-london14-1  Thu Sep 18 08:58 - 09:04  (00:05)
reboot           ~                         Thu Sep 18 04:08
ringette         ftp      CPE001310e9a482  Thu Sep 18 00:10 - 00:11  (00:00)

-Grant






----- Original Message ----- 
From: "H.fazaeli" <fazaeli at sepehrs.com>
To: "Grant Peel" <gpeel at thenetnow.com>
Cc: <freebsd-questions at freebsd.org>
Sent: Thursday, September 18, 2008 5:31 AM
Subject: Re: Mystical Server Shutdown.


>
> If you applied all the Matthew's suggestions and it is still a
> mystery, and if server's shutdown is clean, look for a
> a (buggy) user land process that sends SIGUSR2 signal
> to init(1).
>
>
> Matthew Seaman wrote:
>> Grant Peel wrote:
>>> Hi all,
>>>
>>> I started getting watchmouse errors about on pf my servers not 
>>> responding. There is a DRAC on the machine, and the sensor data was all 
>>> good. When I got the machine back up and running, I seen this in 
>>> lastlog:
>>>
>>> client1         ftp      hostname1here  Wed Sep 17 17:02 - shutdown 
>>> (00:46)
>>> client2         ftp      hostname2here  Wed Sep 17 17:02 - shutdown 
>>> (00:46)
>>> client2         ftp      hostname2here  Wed Sep 17 17:02 - shutdown 
>>> (00:46)
>>> client3         ftp      hostname3here  Wed Sep 17 17:01 - 17:06 
>>> (00:04)
>>>
>>>
>>> Should I be worried about seeing 'shutdown' in an ftp line of last?
>>
>> That just means the ftp user was still logged in at the time the
>> system shut down.
>>
>>> If not, how would you suggest I find the process or program that issued 
>>> the shutdown command?
>>
>> Read the system logs, basically.  /var/log/messages or /var/log/all.log
>> (if you've enabled it).  The shutdown(8) command will always write
>> syslog messages when invoked.  halt(8) or reboot(8) will write a 
>> 'shutdown'
>> record into wtmp (ie. look at 'last shutdown') but don't log anything
>> to syslog.
>>
>> However, you're quite likely to find that there is nothing in the log
>> or wtmp files to explain what happened.  All this means is that the
>> system went down suddenly -- perhaps power dropped out momentarily, or
>> a thermal cutout tripped or the system panic'd for one of any number of 
>> reasons.  You'ld be able to detect log file traces showing fsck(8)
>> being run on the root f/s following any of those sort of unclean 
>> shutdowns, and if the system panic'd then you may well have a core dump 
>> sitting in /var/db/crash -- depends whether you've enabled that 
>> functionality or not.
>>
>>     Cheers,
>>
>>     Matthew
>>
>
> -- 
>
>
> Best regards.
>
> Hooman Fazaeli <hf at sepehrs.com>
> Sepehr S. T. Co. Ltd.
>
> Web: http://www.sepehrs.com
> Tel: (9821)88975701-2
> Fax: (9821)88983352
>
>
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to 
> "freebsd-questions-unsubscribe at freebsd.org"
>
>

More information about the freebsd-questions mailing list