Home Linux Tips & Tricks How To Find Who Rebooted The Linux System And When

How To Find Who Rebooted The Linux System And When

By sk
Published: Last Updated on 8,931 Views

This brief guide explains how to find who rebooted the Linux system and the time of last reboot. This trick could be useful for those who are managing a multi-user shared server.

Find Who Rebooted The Linux System

To find out who rebooted your Linux server, you need to install psacct utility, which is used to monitor the user's activity. Refer the following link to know more details about psacct.

After installing psacct, run the following to find who rebooted the Linux server:

$ lastcomm reboot

Sample output would be:

reboot sk pts/0 0.00 secs Mon Apr 3 15:05
reboot S X root __ 0.00 secs Mon Apr 3 15:00
reboot sk pts/0 0.00 secs Mon Apr 3 15:00

As you see above, the user called "sk" has executed 'reboot' command from 'pts0' on Monday April 2, at 15:05 local time.

Wait, we're not finished yet.

The above command displays only the three results of the previous reboots. We can display the complete reboot history by running the following command. Please note that, it will not show who has rebooted the system. Instead, it will only show the date and time of the previous reboot.

$ last reboot

Sample output:

reboot system boot 5.11.11-200.fc33 Fri Apr 9 10:59 still running
reboot system boot 5.11.11-200.fc33 Thu Apr 8 20:14 - 21:45 (01:31)
reboot system boot 5.11.11-200.fc33 Thu Apr 8 14:12 - 20:14 (06:02)
reboot system boot 5.11.11-200.fc33 Thu Apr 8 10:30 - 20:14 (09:43)
reboot system boot 5.11.11-200.fc33 Wed Apr 7 10:32 - 21:46 (11:13)
reboot system boot 5.11.11-200.fc33 Tue Apr 6 21:30 - 22:13 (00:43)
reboot system boot 5.11.11-200.fc33 Tue Apr 6 12:38 - 20:33 (07:55)
reboot system boot 5.11.11-200.fc33 Tue Apr 6 10:04 - 12:37 (02:33)
reboot system boot 5.11.11-200.fc33 Mon Apr 5 17:24 - 21:58 (04:33)
reboot system boot 5.11.11-200.fc33 Mon Apr 5 17:00 - 17:23 (00:23)
find who rebooted the Linux system

find who rebooted the Linux system

Also, you can find out which user has rebooted your Linux box by looking at the BASH history file like.

$ grep reboot /home/*/.bash_history

The above command will look at all users .bash_history files and display who has rebooted your system.

/home/sk/.bash_history:reboot
/home/sk/.bash_history:sudo reboot
/home/sk/.bash_history:reboot 
/home/sk/.bash_history:sudo reboot 
/home/sk/.bash_history:sudo reboot 
/home/sk/.bash_history:reboot

To search for specific user, just mention the username as shown below.

$ grep reboot /home/sk/.bash_history

This command will only look at the .bash_history file belongs to user called 'sk'. It is always recommended to keep an eye on all user's activities. You never know who is going to break your system. Keep changing the root user's password periodically. Limit user's access to your Linux system and set password policies to users to avoid any security breaches.

Hope this helps.

You May Also Like

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More