Can I know who issued the shutdown
command on any *nix system in a multi-user system? I want to know the name of the user who issued the particular command.

- 6,262
- 1
- 23
- 28

- 123
1 Answers
NOTE: This answer primary focuses on showing when a system was booted/shutdown. Getting the actual user that performed the shutdown is a bit trickier. The best way I've seen it done, is to limit access to a system, and only give certain operators sudo
rights to the shutdown
command. This will give you a log of who ran what sudo
command and at what time they did it. This is far superior then to attempt to hack the shutdown
command!
1. Parsing log files
Most systems already have this info contained in their logs, you just have to know what to look for.
The log files /var/log/messages
, /var/log/syslog
(Ubuntu) or /var/log/secure
(CentOS) will typically have this.
Examples
$ sudo grep -iE "shutdown|boot" secure*
secure-20131215:Dec 14 02:08:56 greeneggs sudo: saml : TTY=pts/6 ; PWD=/home/saml ; USER=root ; COMMAND=/sbin/reboot
2. Last time system booted?
For this you can use the who
command. Specifically with the -b
switch.
$ who -b
system boot 2013-08-01 17:56
This says the last time the system was booted was 2013-08-01.
3. Past reboots
If you're interested in seeing a more extensive list of previous reboots you can use the last
command.
$ last reboot | less
reboot system boot 2.6.35.14-106.fc Thu Aug 1 17:56 - 02:03 (7+08:06)
reboot system boot 2.6.35.14-106.fc Thu Aug 1 09:41 - 17:55 (08:14)
reboot system boot 2.6.35.14-106.fc Thu Jul 25 15:24 - 17:55 (7+02:31)
reboot system boot 2.6.35.14-106.fc Thu Jul 18 18:05 - 15:23 (6+21:17)
...
4. Past system shutdowns & runlevel changes?
You can use the last
command for this too. You'll need to use the -x
switch.
$ last -x | less
saml pts/7 :pts/6:S.0 Sat Aug 3 21:30 - 21:30 (00:00)
saml pts/6 :0.0 Sat Aug 3 21:29 - 21:30 (00:01)
saml pts/4 :0.0 Fri Aug 2 21:49 - 22:16 (2+00:26)
saml pts/2 :0.0 Fri Aug 2 13:30 - 22:16 (2+08:45)
saml pts/1 :0.0 Fri Aug 2 13:05 still logged in
saml pts/0 :0.0 Fri Aug 2 12:37 still logged in
saml pts/0 :0.0 Fri Aug 2 12:35 - 12:37 (00:02)
saml pts/0 :0.0 Thu Aug 1 17:58 - 12:35 (18:36)
saml tty1 :0 Thu Aug 1 17:56 still logged in
runlevel (to lvl 5) 2.6.35.14-106.fc Thu Aug 1 17:56 - 02:04 (7+08:08)
reboot system boot 2.6.35.14-106.fc Thu Aug 1 17:56 - 02:04 (7+08:08)
shutdown system down 2.6.35.14-106.fc Thu Aug 1 17:55 - 17:56 (00:00)
runlevel (to lvl 6) 2.6.35.14-106.fc Thu Aug 1 17:55 - 17:55 (00:00)
saml tty2 Thu Aug 1 17:54 - down (00:01)
root tty2 Thu Aug 1 17:53 - 17:54 (00:00)
...
References
-
1Note that, as far as I can tell, this still doesn't tell you who shut it down, since it will likely be root. +1 however, because the other answer is dangerous, and this is about as good as it gets without dbus. – Chris Down Jan 02 '14 at 09:10
-
@ChrisDown - yes this is actually bits from another answer I gave a couple months back. I was tempted to mark this Q as a dup, but he's asking for who, and that isn't actually feasible, as you've indicated as well. The other Q was asking for when and who. – slm Jan 02 '14 at 09:13
-
@ChrisDown - I added a blub at the top mentioning the difficulties in getting the user, and the use of
sudo
was the most appropriate. Feel free to word smith it further if you feel it needs additional verbiage. – slm Jan 02 '14 at 09:23 -
-
@slm while I do appreciate all your efforts and research that you did for the solution, it doesn't explicitly answer my
who
aspect. You say filter out from system file, but which one? I checked auth.log, there is no log for who started the shutdown. Which log file should you tell I look at ? – ASCIIbetical Jan 03 '14 at 04:05 -
1@ASCIIbetical - fair enough, never accept an answer unless you feel it solves your problem. 8-). Are you using
sudo
on your system? I believe in my A I explained that usingsudo
will be the only way you'll find username's and shutdown events. In the example I showed, the log file/var/log/secure*
contains these records of userX runningreboot
orshutdown
commands. – slm Jan 03 '14 at 04:08 -
@ASCIIbetical - also there is no general solution, I for example am using Fedora/CentOS/RHEL which use the file
/var/log/secure*
, other distros opt for different logs altogether, so you'll have to be more specific in your Q if you really want the "who" information. – slm Jan 03 '14 at 04:12 -
-
@slm Kindly have a look here: I initiated a shutdown at 10:10:34 and started computer at 10:11:16, alas, no username is present: Log of
/var/log/syslog
Jan 3 10:10:34 thinktank rsyslogd: [origin software="rsyslogd" swVersion="5.8.6" x-pid="508" x-info="http://www.rsyslog.com"] exiting on signal 15. Jan 3 10:11:16 thinktank kernel: imklog 5.8.6, log source = /proc/kmsg started. Jan 3 10:11:16 thinktank rsyslogd: [origin software="rsyslogd" swVersion="5.8.6" x-pid="711" x-info="http://www.rsyslog.com"] start
– ASCIIbetical Jan 03 '14 at 04:45 -
I Guess it isn't the user who runs shutdown but some system process. So in that case, how to know from the system process, who initiated the shutdown. I Guess it isn't the user who runs shutdown but some system process. So in that case, how to know from the system process, who initiated the shutdown. Look here :http://pastebin.com/5g6RpmuM – ASCIIbetical Jan 03 '14 at 04:53
-
I initiated a shutdown at 10:10:34 and started my system at 10:11:16, no username is there. – ASCIIbetical Jan 03 '14 at 04:53
-
1@ASCIIbetical - this was my exact point in the 1st paragraph. You can't know because there is a interface that catches the signal to shutdown/reboot and then triggers it. This process runs as root so you'll never see a username that way. Using sudo and walling off access to shutdown/reboot is just how sysadmins do this. We managed a fortune 500 companies infrastructure and this is how we did it there. – slm Jan 03 '14 at 04:57
-
Oh, Thanks then. I guess, that's how its gonna be done. Thanks for the inputs. Always a pleasure to learn from
pros
like you. Thanks a ton. – ASCIIbetical Jan 03 '14 at 05:02 -
@ASCIIbetical - the pleasure is mine. I like helping others make sense of all the noise 8-) – slm Jan 03 '14 at 05:05
shutdown
. Look here : http://pastebin.com/5g6RpmuM – ASCIIbetical Jan 03 '14 at 04:53