Last命令
显示wtmp文件中的登陆信息
last命令不能找出系统重启的原因。只能看看重启记录,以及重启记录是正常重启还是异常
- 第一列:用户名,或者显示reboot,shutdown,runlevel更改
- 第二列:pts/0意味着从诸如SSH或telnet的远程连接的用户。tty (teletypewriter) 意味着直接连接到计算机或者本地连接的用户,如果是启动或者重启操作,这里会显示成system boot
- 第三列:登录ip或者内核,如果你看见:0.0 或者什么都没有,这意味着用户通过本地终端连接。
- 第四列:开始时间(如果是last reboot则表示系统启动时间)
- 第五列:结束时间(still login in 还未退出 down 直到正常关机 crash 直到强制关机),如果是last reboot则表示系统停止时间
- 第六列:持续时间
主要命令选项
- -f file 指定记录文件,默认/var/log/wtmp,但/var/log/btmp内容更加丰富,可以显示远程登录,例如SSH,包括失败的登录请求
- -a 将登录的主机名或IP地址显示在最后一行
- -i 显示指定IP登录的情况
- -x 显示系统关闭,用户登录和推出的历史
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
| ubuntu@lxd:~$ last
ubuntu pts/0 192.192.192.6 Wed Jun 21 08:41 still logged in
ubuntu pts/0 192.192.192.6 Thu Jun 15 13:11 - 13:27 (00:15)
ubuntu pts/0 192.192.192.6 Wed Jun 14 09:59 - 14:02 (04:03)
ubuntu pts/1 192.192.192.6 Thu Jun 1 15:52 - 17:29 (01:37)
ubuntu pts/0 192.192.192.6 Thu Jun 1 11:28 - 17:17 (05:48)
ubuntu pts/0 192.192.192.6 Thu May 25 10:20 - 17:09 (06:49)
reboot system boot 5.15.0-72-generi Thu May 25 09:03 still running
ubuntu pts/1 192.192.192.3 Thu May 18 10:59 - 11:00 (00:00)
ubuntu pts/1 192.192.192.3 Thu May 18 10:27 - 10:35 (00:07)
ubuntu pts/0 192.192.192.3 Thu May 18 10:25 - 15:28 (05:02)
ubuntu pts/0 192.192.192.3 Wed May 17 13:13 - 15:46 (02:32)
ubuntu@lxd:~$ last -x
ubuntu pts/0 192.192.192.6 Wed Jun 21 08:41 still logged in
ubuntu pts/0 192.192.192.6 Thu Jun 15 13:11 - 13:27 (00:15)
ubuntu pts/0 192.192.192.6 Wed Jun 14 09:59 - 14:02 (04:03)
ubuntu pts/1 192.192.192.6 Thu Jun 1 15:52 - 17:29 (01:37)
ubuntu pts/0 192.192.192.6 Thu Jun 1 11:28 - 17:17 (05:48)
ubuntu pts/0 192.192.192.6 Thu May 25 10:20 - 17:09 (06:49)
runlevel (to lvl 5) 5.15.0-72-generi Thu May 25 09:04 still running
reboot system boot 5.15.0-72-generi Thu May 25 09:03 still running
ubuntu pts/1 192.192.192.3 Thu May 18 10:59 - 11:00 (00:00)
ubuntu pts/1 192.192.192.3 Thu May 18 10:27 - 10:35 (00:07)
ubuntu pts/0 192.192.192.3 Thu May 18 10:25 - 15:28 (05:02)
ubuntu pts/0 192.192.192.3 Wed May 17 13:13 - 15:46 (02:32)
ubuntu@lxd:~$ last reboot -F
reboot system boot 5.15.0-75-generi Wed Jun 21 08:48:02 2023 still running
reboot system boot 5.15.0-72-generi Thu May 25 09:03:02 2023 - Wed Jun 21 08:47:41 2023 (26+23:44)
reboot system boot 5.15.0-71-generi Mon May 15 11:17:09 2023 - Wed Jun 21 08:47:41 2023 (36+21:30)
reboot system boot 5.15.0-71-generi Fri May 12 16:47:42 2023 - Wed Jun 21 08:47:41 2023 (39+15:59)
reboot system boot 5.15.0-71-generi Fri Apr 28 16:46:18 2023 - Fri May 12 14:10:18 2023 (13+21:24)
reboot system boot 5.15.0-71-generi Fri Apr 28 09:41:30 2023 - Fri Apr 28 16:45:59 2023 (07:04)
reboot system boot 5.15.0-71-generi Fri Apr 28 09:20:40 2023 - Fri Apr 28 09:21:49 2023 (00:01)
[root@21cDB1 ~]
reboot system boot 4.18.0-365.el8.x Fri May 19 13:10(启动时间) still running(停止时间) 如果历史记录中的停止时间位string running则表示系统意外重启,导致没有将停止时间写入日志。
reboot system boot 4.18.0-365.el8.x Tue Mar 14 11:05 - 14:24 (59+03:18)
reboot system boot 4.18.0-365.el8.x Mon Feb 20 13:01 - 09:55 (20+20:53)
reboot system boot 4.18.0-365.el8.x Thu Oct 20 12:36 - 11:51 (122+23:14)
reboot system boot 4.18.0-365.el8.x Fri Aug 26 16:00 - 12:37 (54+20:37)
reboot system boot 4.18.0-365.el8.x Tue Aug 2 09:19 - 15:39 (24+06:19)
reboot system boot 4.18.0-365.el8.x Fri Jul 1 09:12 - 18:04 (27+08:52)
|
正常的reboot重启记录
RHEL8
1
2
3
4
5
6
7
8
9
10
11
12
| [root@openvpn ~]
root pts/0 192.192.192.3 Thu May 18 15:19 - 17:24 (02:04)
reboot system boot 4.18.0-305.3.1.e Fri May 19 13:11 - 10:12 (328+21:01)
runlevel (to lvl 3) 4.18.0-305.3.1.e Fri May 19 13:11 - 10:12 (328+21:00)
root tty1 Sat Jun 17 12:37 - 10:12 (299+21:34)
root pts/0 192.192.192.6 Mon Jul 10 09:05 - 09:05 (00:00)
root pts/0 192.192.192.13 Fri Apr 12 10:11 - 10:12 (00:00)
shutdown system down 4.18.0-305.3.1.e Fri Apr 12 10:12 - 10:11 (-00:00)
reboot system boot 4.18.0-305.3.1.e Fri Apr 12 10:11 still running
runlevel (to lvl 3) 4.18.0-305.3.1.e Fri Apr 12 10:11 still running
root pts/0 192.192.192.13 Fri Apr 12 10:12 still logged in
[root@openvpn ~]
|
正常按电源开关重启
1
2
3
| root pts/0 10.5.3.207 Tue Nov 22 11:29 - crash (00:02)
reboot system boot 3.10.0-1062.el7. Tue Nov 22 11:31 - 11:39 (00:08)
runlevel (to lvl 5) 3.10.0-1062.el7. Tue Nov 22 11:31 - 11:39 (00:08)
|
意外重启
多数显示如下:(非人为或断电,系统自己重启)
1
2
| reboot system boot 3.10.0-1160.49.1 Tue Nov 22 02:27 - 13:52 (11:25)
runlevel (to lvl 5) 3.10.0-1160.49.1 Tue Nov 22 02:27 - 13:52 (11:24)
|
日志检查/var/log/messages
命令:
如果您有UPS并运行守护程序来监视电源和关闭电源,则显然应该检查其日志(NUT日志位于/ var / log / messages,但apcupsd日志位于/ var / log / apcupsd *)
1
2
3
| grep -iv ': starting\|kernel: .*: Power Button\|watching system buttons\|Stopped Cleaning Up\|Started Crash recovery kernel' \
/var/log/messages /var/log/syslog /var/log/apcupsd* \
| grep -iw 'recover[a-z]*\|power[a-z]*\|shut[a-z ]*down\|rsyslogd\|ups'
|
示例:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
| [root@rac01 log]
> /var/log/messages \
> | grep -iw 'recover[a-z]*\|power[a-z]*\|shut[a-z ]*down\|rsyslogd\|ups'
Apr 7 03:15:01 rac01 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-55.el7" x-pid="2035" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
Apr 8 03:41:04 rac01 rsyslogd: imjournal: journal reloaded... [v8.24.0-55.el7 try http://www.rsyslog.com/e/0 ]
Apr 9 02:57:03 rac01 rsyslogd: imjournal: journal reloaded... [v8.24.0-55.el7 try http://www.rsyslog.com/e/0 ]
Apr 11 22:47:41 rac01 kernel: sd 2:0:0:0: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 3:0:0:1: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 4:0:0:2: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 5:0:0:3: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 6:0:0:4: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 7:0:0:5: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 8:0:0:6: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 9:0:0:7: Power-on or device reset occurred
Apr 11 22:47:41 rac01 kernel: sd 10:0:0:8: Power-on or device reset occurred
Apr 11 22:49:24 rac01 kernel: XFS (dm-0): Ending recovery (logdev: internal)
Apr 11 22:49:25 rac01 systemd: Started Cleaning Up and Shutting Down Daemons.
Apr 11 22:49:37 rac01 kernel: XFS (vda1): Ending recovery (logdev: internal)
Apr 11 22:49:40 rac01 systemd: Started Update UTMP about System Boot/Shutdown.
Apr 11 22:49:51 rac01 systemd: Started Logout off all iSCSI sessions on shutdown.
Apr 11 22:49:51 rac01 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-55.el7" x-pid="1851" x-info="http://www.rsyslog.com"] start
Apr 11 22:49:51 rac01 network: Shutting down interface eth0: [ OK ]
Apr 11 22:49:51 rac01 network: Shutting down interface eth1: [ OK ]
Apr 11 22:49:51 rac01 network: Shutting down loopback interface: [ OK ]
Apr 11 22:50:09 rac01 systemd: Started Daemon for power management.
Apr 11 22:50:21 rac01 journal: power: force power support: no
Apr 12 10:04:19 rac01 kernel: sd 2:0:0:0: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 3:0:0:1: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 4:0:0:2: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 5:0:0:3: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 6:0:0:4: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 7:0:0:5: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 8:0:0:6: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 9:0:0:7: Power-on or device reset occurred
Apr 12 10:04:19 rac01 kernel: sd 10:0:0:8: Power-on or device reset occurred
Apr 12 10:04:25 rac01 kernel: XFS (dm-0): Ending recovery (logdev: internal)
Apr 12 10:04:25 rac01 systemd: Started Cleaning Up and Shutting Down Daemons.
Apr 12 10:04:28 rac01 kernel: XFS (vda1): Ending recovery (logdev: internal)
Apr 12 10:04:29 rac01 systemd: Started Update UTMP about System Boot/Shutdown.
Apr 12 10:04:37 rac01 systemd: Started Logout off all iSCSI sessions on shutdown.
Apr 12 10:04:38 rac01 rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-55.el7" x-pid="2008" x-info="http://www.rsyslog.com"] start
Apr 12 10:04:44 rac01 systemd: Started Daemon for power management.
Apr 12 10:04:48 rac01 journal: power: force power support: no
[root@rac01 log]
|
当意外关闭电源或发生硬件故障时,文件系统将无法正确卸载,因此在下次启动时,可能会输出如下日志
1
2
3
4
| [ 3.238424] IPVS: [rr] scheduler registered.
[ 3.475768] systemd-journald[479]: Received request to flush runtime journal from PID 1
[ 3.483416] systemd-journald[479]: File /var/log/journal/20200914151306980406746494236010/system.journal corrupted or uncleanly shut down, renaming and re
[ 3.483812] piix4_smbus 0000:00:01.3: SMBus Host Controller at 0x700, revision 0
|
当按下电源按钮而关闭系统电源时,将输出以下日志
1
2
3
| systemd-logind: Power key pressed.
systemd-logind: Powering Off...
systemd-logind: System is powering down.
|
当服务器正常关闭时,将会输出以下日志:
1
| rsyslogd: ... exiting on signal 15
|
当系统因为温度过高导致关闭时,将会输出以下日志:
1
| critical temperature reached...,shutting down
|
内核启动参数
1
2
|
Apr 11 22:47:40 rac01 kernel: Kernel command line: BOOT_IMAGE=/vmlinuz-3.10.0-1160.el7.x86_64 root=/dev/mapper/centos-root ro crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8
|
崩溃日志/var/crash/
日志位置:
先决条件:
需要启用kdump。kdump 是一种先进的基于 kexec 的内核崩溃转储机制。当系统崩溃时,kdump 使用 kexec 启动到第二个内核。第二个内核通常叫做捕获内核,以很小内存启动以捕获转储镜像。第一个内核保留了内存的一部分给第二内核启动用。由于 kdump 利用 kexec 启动捕获内核,绕过了 BIOS,所以第一个内核的内存得以保留。
查看/etc/grub.conf 文件,发现crashkernel=auto,
系统对crashkernel=auto的定义为:
如果系统的内存 <= 8 GB 对kdump kernel不会保留任何内容;也就是说,crashkernel=auto 等
于关掉了机器上的kdump功能;
如果系统的内存> 8 GB但是<= 16 GB,crashkernel=auto会保留256M,等同于crashkernel=256M;
如果系统内存> 16GB, crashkernel=auto会保留512M, 等同于crashkernel=512M
启动记录
1
2
3
4
5
| [root@rac01 log]
....
Apr 11 22:49:51 rac01 systemd: Starting Crash recovery kernel arming...
Apr 11 22:49:53 rac01 systemd: Started Crash recovery kernel arming.
....
|