How to find out who rebooted LINUX server

Question

Someone restarted our Linux server and I want to find out which user did it.

There might be multiple users on this server with sudo privileges, is there any specific log file which keep track of user who did reboot last time?

Edit: I am using Red Hat 6.3

You can search trough lastlog, bash_history (if no sudo), /var/log/{auth.log|secure} (sudo) or audit.log if auditd is running etc. — Xavier Lucas, Mar 16 '15 at 21:01

score 14 · Accepted Answer · edited Dec 08 '16 at 06:32

14

You can use "last" to check. It shows when was the system rebooted and who were logged-in and logged-out.

From manpage:

last, lastb - show listing of last logged in users

edited Dec 08 '16 at 06:32

chicks

3,793
10
27
36

answered Dec 08 '16 at 06:11

Ashish Jain

156
1
2

For me the file shows only log ins – Sebi2020 Oct 24 '21 at 11:27

user9517 · Answer 2 · 2015-03-16T20:51:36.587

If your users have to use sudo to reboot the server then yo should be able to find who did it by looking in the relevant log file. For CentOS like distros look in /var/log/secure and for Ubuntu like look in /var/log/auth log.

If you're using a different OS or distro you could track the log file down by reading the sudoers man page which contains information about the log facility that is used by default and how to change it. Armed with that you can check your syslog config ...

score 5 · Answer 3 · answered Mar 16 '15 at 20:42

Every Linux/unix system has a variety of /var/log/secure.

For Ubuntu, as I'm guessing you are using, try /var/log/auth.log.

I would suggest:

sudo grep sudo /var/log/auth.log

You will get results similar to:

Mar 16 13:40:38 hostname sudo:  username : TTY=pts/10 ; PWD=/home/username ; USER=root ; COMMAND=/bin/bash

How to find out who rebooted LINUX server

3 Answers3