When troubleshooting an unexpected server reboot on Red Hat 6.3, the first place to check is the system logs. The primary log files that record shutdown/reboot events are:
/var/log/messages
/var/log/secure
/var/log/boot.log
For newer Red Hat versions with systemd, you would use:
journalctl --list-boots
journalctl -b -1 | grep "systemd-logind"However, since you're on RHEL 6.3 which uses SysV init, we'll focus on traditional log files.
To find reboot events in /var/log/messages:
grep -i "reboot" /var/log/messages
grep -i "shutdown" /var/log/messages
grep -i "system halted" /var/log/messagesThe /var/log/secure file often contains valuable information about who executed privileged commands:
grep "COMMAND=/sbin/reboot" /var/log/secure
grep "sudo.*reboot" /var/log/secureThe 'last' command can show reboot history:
last reboot
last -x | grep rebootIf auditd is running, you can configure it to track reboot commands by adding this to /etc/audit/audit.rules:
-a always,exit -F path=/sbin/reboot -F perm=x -F auid>=1000 -F auid!=4294967295 -k poweroffThen search audit logs with:
ausearch -k poweroffFor more precise tracking, you could create a wrapper script for reboot commands:
#!/bin/bash
echo "$(date) $(whoami) executed reboot" >> /var/log/reboot_audit.log
/sbin/reboot "$@"Then replace the actual reboot binary with this script (after backing up the original).
If sudo was used to execute the reboot, check the sudo logs:
cat /var/log/sudo.logOr if using syslog for sudo logging:
grep sudo /var/log/secure
On RHEL 6.3 systems, these are the primary log locations that record reboot events:
1. /var/log/messages - System-wide messages including shutdown/reboot events
2. /var/log/secure - Authentication logs (crucial for sudo executions)
3. /var/log/boot.log - Boot sequence records
4. /var/log/cron - If reboot was scheduled via cron
First check the system messages log for the reboot timestamp:
# grep -i "reboot" /var/log/messages
May 15 10:23:01 server1 kernel: [321873.651234] Restarting system.
May 15 10:23:01 server1 shutdown[12345]: reboot by jsmith
Then examine sudo executions in the secure log:
# grep "COMMAND=/sbin/reboot" /var/log/secure
May 15 10:22:58 server1 sudo: jsmith : TTY=pts/0 ; PWD=/home/jsmith ; USER=root ; COMMAND=/sbin/reboot
For systems with auditd enabled, check these commands:
# ausearch -m USER_REBOOT -ts today
# ausearch -m EXECVE -a | grep reboot
Example output showing reboot execution context:
type=EXECVE msg=audit(1526389378.123:456): argc=2 a0="/sbin/reboot" a1="-f"
type=SYSCALL msg=audit(1526389378.123:456): arch=c000003e syscall=59 success=yes exit=0 a0=123abc a1=456def a2=789ghi a3=0 items=2 ppid=12345 pid=54321 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="reboot" exe="/sbin/reboot"
Add this to /etc/audit/audit.rules for future tracking:
-w /sbin/reboot -p x -k power_commands
-w /sbin/shutdown -p x -k power_commands
-w /usr/bin/systemctl -p x -k power_commands
Then search with:
# ausearch -k power_commands | aureport -f -i
For systems without auditd, create a simple wrapper script:
#!/bin/bash
logger -t REBOOT_TRACKER "User $(whoami) initiated reboot via $(basename $0)"
/sbin/reboot "$@"
Deploy it by moving the original binary and replacing with the wrapper:
# mv /sbin/reboot /sbin/reboot.bin
# cp reboot_wrapper.sh /sbin/reboot
# chmod +x /sbin/reboot