0

That should be a quick one:

I'm running a small server, and one day discovered, that one of the LXC containers inside is down. I started it again, but I want to find out, for how long it was down.

I guess, that the most detailed information will be in dmesg logs, but to read timestamps in them I need to know exact moment the system was started during that session.

Adam Ryczkowski
  • 720
  • 1
  • 9
  • 29

2 Answers2

1

You can /proc/uptime for this, the first number there is the uptime of the machine in seconds. Also, there's dmesg -T for human readable output.

Teun Vink
  • 1,837
  • 11
  • 14
1
[me@server]$ last reboot
reboot   system boot  2.6.32-279.22.1. Thu Oct  3 08:35 - 10:59 (39+03:23)
Jenny D
  • 27,780
  • 21
  • 75
  • 114
  • In my case, it only shows the current boot time. Not the previous. That is all my output: reboot system boot 3.8.2-030802-gen Mon Nov 11 10:29 - 11:01 (00:31) wtmp begins Mon Nov 11 10:29:57 2013 – Adam Ryczkowski Nov 11 '13 at 10:02
  • But on my Ubuntu desktop this command works just fine. Maybe it can be a clue of what happened? (i.e. why the system went down) – Adam Ryczkowski Nov 11 '13 at 10:03
  • If it only shows the current boot time, that means that at some point your wmtp/utmp files have been truncated - either because /var got full, or because you were under attack/cracked and the cracker wanted to hide what they'd done. – Jenny D Nov 11 '13 at 10:08
  • Ouch... It makes sense. – Adam Ryczkowski Nov 11 '13 at 10:15
  • Also, the dmesg log will tell you what happened at the point of reboot. It's likely that the reason for the reboot occured just before that - so I'd start looking at syslog/messages from just before then, rather than the dmesg log. And given that there is a risk of attack, now would be a good time to start sending syslog to a second server in case the attack happens again and the attacker edits or removes the local log files. – Jenny D Nov 11 '13 at 11:27
  • Thank you. That is exactly, what I am doing right now. (I use Ubuntu, so there is no "messages", but "syslog", though). The logs don't look to understandable to me... :-( But comparing logs from various VM and seeing them very simmilar, but poorly synchronized in time, I came to conclusion, that the attack was made interactively by some human. Or a smart bot, that simulates human activity. – Adam Ryczkowski Nov 11 '13 at 12:12
  • Is is strange that on Ubuntu 12.04 server the default log rotation scheme rotate this log each month and keep only one historical copy. It is not very busy server and it is a fact, that no restarts and no log events should have been recorded for past 2 months. And before that all went rotated out. And the restart could have been due to electric outage (it happens rarely, but it does). – Adam Ryczkowski Nov 12 '13 at 11:15