Copy of original posting at the end.
Bottom line: Unsolved mystery! If I would have enabled the audit subsystem,
I would have been able to find the culprit!
Many thanks to the following folks:
Ann Majeske
James John
Dr. Thomas.Blinn
David L. Smith
George Gallen
Bruce Hines
Suggestions / recommendations:
***
Go through the history of each of the users that were logged in at the time.
Also, check to see if anyone changed UID's in the sialog.
***
I'd guess that when no one is logged in on a port for which a getty is
running, it shows up in "last" as LOGIN, but that's just a guess. And
since it dates to the same time stamp as the shutdown, it's at best a
guess. I'd go looking at things like "getty" to see what contains the
string "LOGIN" -- someone put it there.
***
When I've seen this it is usually because the ASE software decided something
was wrong with one of the services and shutdown the system so that the
service would move to a surviving member.
***
could this have been a UPS related shutdown?
DO you have your UPS hooked to the serial port to
shutdown if power is getting low?
***
If someone has access to the system console, they can do a CTRL-P and halt
the system. They don't need login privileges.
***
I haven't seen a summary on this, so I thought I'd give it
a go.
First, "last" only lists terminal logins. It does not record
access via "su", "rsh", and many other methods someone could use
to gain root privilege on the system. I strongly recommend that
you enable the audit subsystem (See the Security manual) on your
system and at least audit trusted_event. This will give you a much
better indication of who's doing what on your system. And, if you
have auditing enabled on the system you can always increase the
level of auditing if you have a recurring problem so that you can
get even more information on what's going on. The audit subsystem
is useful in investigating many types of problems, even debugging
code, see
http://www.tru64unix.compaq.com/docs/best_practices/BP_AUDIT/TITLE.HTM
It is documented in "man who" that entries with "LOGIN" as
the user field indicate terminals not in use. Couple this
with the fact that init dumps "interesting" utmp entries
into wtmp on shutdown (I don't know if this is documented)
and all this tells you is that no-one was logged into the
console when the system shut down. But, the fact that these
wtmp entries were written out coupled with the uerf output
does make it look like someone deliberately shutdown the
system (at least it was a graceful shutdown!). The
/var/adm/syslog.dated/*/auth.log file should have a reboot
entry if the system was rebooted deliberately. But, without
the audit information I don't think there is any way to tell
for sure from the system logs who shutdown the system.
***
Original Posting:
***
Fellow T64'ers:
I have a DS10 running T64 4.0G that was shutdown early last Saturday morning
- but I can't figure out "who dunnit"!
Attached are the pertinent parts of output from "last" and "uerf -R".
I don't understand the user "LOGIN" on the console on Feb 09 at 00:39 - when
I log in as root, the name shows up as "root" in the output from "last".
Can anybody help?
Thanks!
Jim
>>>> output from last
eilerja ttyp1 alpha2-pcc.atc.a Fri Feb 15 14:25 still logged in
root console Fri Feb 15 11:15 - 11:32 (00:16)
root :0 Fri Feb 15 11:15 - 11:32 (00:16)
eilerja ttyp1 alpha2-pcc.atc.a Fri Feb 15 10:08 - 12:11 (02:02)
kruzymt ttyp1 alpha2-pcc.atc.a Tue Feb 12 14:09 - 14:41 (00:31)
kruzymt ttyp1 alpha2-pcc.atc.a Tue Feb 12 12:12 - 12:12 (00:00)
kruzymt ttyp2 alpha2-pcc.atc.a Tue Feb 12 12:10 - 12:10 (00:00)
kruzymt ttyp2 alpha2-pcc.atc.a Tue Feb 12 12:10 - 12:10 (00:00)
kruzymt ttyp2 alpha2-pcc.atc.a Tue Feb 12 11:46 - 12:08 (00:22)
eilerja ttyp1 alpha2-pcc.atc.a Tue Feb 12 10:39 - 12:11 (01:31)
shutdown ~ Sat Feb 09 00:39
LOGIN console Sat Feb 09 00:39 - 00:39 (00:00)
eilerja ttyp1 alpha2-pcc.atc.a Fri Feb 08 10:20 - 10:48 (00:27)
eilerja ttyp1 alpha2-pcc.atc.a Thu Feb 07 02:55 - 02:56 (00:00)
eilerja ttyp1 alpha2-pcc.atc.a Thu Feb 07 02:21 - 02:21 (00:00)
>>>> output from uerf -R
********************************* ENTRY 3.
*********************************
----- EVENT INFORMATION -----
EVENT CLASS OPERATIONAL EVENT
OS EVENT TYPE 301. SYSTEM SHUTDOWN
SEQUENCE NUMBER 21394.
OPERATING SYSTEM DEC OSF/1
OCCURRED/LOGGED ON Sat Feb 9 00:39:46 2002
OCCURRED ON SYSTEM alica
SYSTEM ID x00080022
SYSTYPE x00000000
MESSAGE System halted by root
********************************* ENTRY 4.
*********************************
----- EVENT INFORMATION -----
EVENT CLASS OPERATIONAL EVENT
OS EVENT TYPE 301. SYSTEM SHUTDOWN
SEQUENCE NUMBER 21393.
OPERATING SYSTEM DEC OSF/1
OCCURRED/LOGGED ON Sat Feb 9 00:39:44 2002
OCCURRED ON SYSTEM alica
SYSTEM ID x00080022
SYSTYPE x00000000
MESSAGE System shutdown by root:
********************************* ENTRY 5.
*********************************
Received on Tue Feb 26 2002 - 20:40:10 NZDT