[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What in /var/logs shows system reboot?




On Mon, Jan 23, 2017 at 4:04 PM, Joe <joe@jretrading.com> wrote:
On Mon, 23 Jan 2017 14:28:33 -0400
francis picabia <fpicabia@gmail.com> wrote:

> On Mon, Jan 23, 2017 at 2:18 PM, Greg Wooledge <wooledg@eeg.ccf.org>
> wrote:
>
> > On Mon, Jan 23, 2017 at 02:12:04PM -0400, francis picabia wrote:
> > > I'm running Debian 8.6, and looking at old logs.  I'd like to
> > > confirm
> > when
> > > the system was rebooted to invoke the newer kernel which fixed
> > > the Dirty COW bug.
> >
> > last | grep boot
> >
> > or, apparently (according to the man page):
> >
> > last reboot
> >
> > > If I have a complete
> > > copy of my /var/log from last October,
> >
> > Urghhh.  So it's not on a live system?  It's on a chrooted disk
> > image? Then I think you need to use:
> >
> > last -f /some/path/wtmp reboot
> >
> > where /some/path/wtmp is the location of your chrooted disk image's
> > wtmp file.
> >
> >
> I think I said I already tried that.  There are no results from last
> pointed to any recovered wtmp file.  It is a recovery of /var/log
> from backup tape.
>
> I even have psacct on that system.  A command like
> lastcomm -f pacct | grep boot
> is returning nothing.

How about grep -R debian-kernel /var/log/*

On my system (on a workstation) it returns the last dozen boots
from /var/log/kernel.log.1 and /var/log/messages.1.

You'll need recent logs after the reboot, as logrotate is in action
here. In the old days, dmesg.N would have stored several reboots, not on
a time basis.

Yes, that is what I remember.  On a system up for 60 days since
the last reboot, there is nothing to go by these days, at least
with the default logrotate settings.

Thanks for the explanation on the journal files.  I might try that.

Here is the exercise anyone reading can try:

Prove to yourself exactly when you rebooted your Debian system(s)
to ensure you were safe against dirty cow.



Going back further than logrotate, it is (still) possible to pull small
strings out of systemd journal files, but without timestamps, because
that's the bit journald handles.

Using strings /var/log/journal/*/* | grep debian-kernel will confirm
the records of what kernels systemd remembers, grepping for rtc_cmos
will return times of clock settings during boot. Once you see the line
that the debian-kernel grep returns, you can try a direct grep with the
exact kernel name to find the appropriate journal file, then using
strings | grep to match kernel version to boot time. Hopefully you only
need to search a couple of files if you don't boot often, but the
filenames are painfully long.

--
Joe



Reply to: