How To Find Who Rebooted The Linux System?

Find Who Rebooted The Linux System

Let us find who rebooted the Linux system

One of our site’s visitor has asked me how to find who rebooted the Linux system? Instead of replying him personally, I thought it would be helpful if I made a blog post and share it here, so that all readers can benefit. This trick can be helpful if you’re managing a shared server by many users.

To find out who rebooted your Linux server, you need to install psacct utility, which is used to monitor the user’s activity. Refer the following link for more details about psacct.

After installing psacct, run the following to find who rebooted the Linux server:

lastcomm reboot

Sample output would be:

reboot sk pts/0 0.00 secs Mon Apr 3 15:05
reboot S X root __ 0.00 secs Mon Apr 3 15:00
reboot sk pts/0 0.00 secs Mon Apr 3 15:00

As you see above, the user called “sk” has executed ‘reboot’ command from ‘pts0’ on Monday April 2, at 15:05 local time.

Wait, we’re not finished yet.

The above command displays only the three results of the previous reboots. We can display the system rebooted history by using the following command. Please note that, it will not show who has rebooted the system. Instead, it will only show the date and time of the previous reboot.

last reboot

Sample output:

reboot system boot 3.10.0-327.22.2. Mon Apr 3 15:06 - 15:12 (00:06) 
reboot system boot 3.10.0-327.22.2. Mon Apr 3 15:04 - 15:12 (00:08) 
reboot system boot 3.10.0-327.22.2. Mon Apr 3 15:01 - 15:12 (00:11) 
reboot system boot 3.10.0-327.22.2. Mon Apr 3 14:44 - 15:00 (00:16) 
reboot system boot 3.10.0-327.22.2. Sat Apr 1 14:35 - 18:42 (04:06) 
reboot system boot 3.10.0-327.22.2. Fri Mar 31 14:35 - 14:43 (00:07) 
reboot system boot 3.10.0-327.22.2. Fri Mar 31 13:05 - 13:12 (00:07) 
reboot system boot 3.10.0-327.22.2. Fri Mar 31 12:46 - 13:04 (00:18) 
reboot system boot 3.10.0-327.22.2. Fri Mar 31 12:40 - 12:46 (00:05) 
reboot system boot 3.10.0-327.22.2. Tue Mar 28 17:23 - 19:32 (02:08) 
reboot system boot 3.10.0-327.22.2. Tue Mar 28 14:59 - 19:32 (04:33) 
reboot system boot 3.10.0-327.22.2. Thu Mar 23 17:08 - 17:41 (00:32) 
reboot system boot 3.10.0-327.22.2. Thu Mar 23 17:06 - 17:08 (00:01) 
reboot system boot 3.10.0-327.22.2. Thu Mar 23 16:24 - 17:04 (00:40) 
reboot system boot 3.10.0-327.22.2. Thu Mar 23 16:00 - 17:04 (01:03)

Also, you can find out which user has rebooted your Linux box by looking at the BASH history file like.

grep reboot /home/*/.bash_history

The above command will look at all users .bash_history files and display who has rebooted your system.

/home/sk/.bash_history:reboot
/home/sk/.bash_history:sudo reboot
/home/sk/.bash_history:reboot 
/home/sk/.bash_history:sudo reboot 
/home/sk/.bash_history:sudo reboot 
/home/sk/.bash_history:reboot

To search for specific user, just mention the username as shown below.

grep reboot /home/sk/.bash_history

This command will only look at the .bash_history file belongs to user called ‘sk’. It is always recommended to keep an eye on all user’s activities. You never know who is going to break your system. Keep changing the root user’s password periodically. Limit user’s access to your Linux system and set password policies to users to avoid any security breaches.

That’s all for now folks. If you find this guide useful, please share it on your social and professional networks.

Cheers!

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You may also like...