接客户反映,内蒙的客户服务器宕机了,需要查看下宕机及reboot的详情,需要使用到last命令,做一些总结归纳。
last命令实际上是读取的/var/log/wtmp文件,这个不是可读文件,打开wtmp是个二进制文件,看到的是乱码,不可读。
last指令的英文原义:show listing of last logged in users,
执行路径:ubuntu@ubuntu:~$ which last
/usr/bin/last
显示重启记录:last -x reboot
ubuntu@ubuntu:~$ last -x reboot
reboot system boot 4.15.0-91-generi Thu Mar 26 17:28 still running
reboot system boot 4.15.0-91-generi Wed Mar 25 21:09 still running
reboot system boot 4.15.0-91-generi Wed Mar 25 16:24 still running
reboot system boot 4.15.0-91-generi Wed Mar 25 08:18 still running
将登录系统的主机名或IP地址显示在最后一行:last -10 -a
ubuntu@ubuntu:~$ last -10 -a
ubuntu pts/11 Thu Mar 26 22:28 still logged in 127.0.0.1
ubuntu pts/10 Thu Mar 26 22:15 still logged in 127.0.0.1
ubuntu pts/9 Thu Mar 26 22:08 still logged in 127.0.0.1
ubuntu pts/8 Thu Mar 26 18:05 still logged in 127.0.0.1
reboot system boot Thu Mar 26 17:28 still running 4.15.0-91-generic
reboot system boot Wed Mar 25 21:09 still running 4.15.0-91-generic
reboot system boot Wed Mar 25 16:24 still running 4.15.0-91-generic
指定/var/log/btmp文件,查看登录系统的用户相关信息: last -n 10 -f /var/log/btmp
ubuntu@ubuntu:~$ sudo last -n 10 -f /var/log/btmp
[sudo] ubuntu 的密码:
ubuntu ssh:notty 10.35.80.232 Wed Mar 18 14:17 gone - no logout
ubuntu ssh:notty 10.35.80.232 Tue Mar 10 15:54 - 14:17 (7+22:22)
ubuntu ssh:notty 10.35.80.232 Fri Mar 6 16:27 - 15:54 (3+23:27)
ubuntu@ubuntu:~$ last|head -n 5
ubuntu pts/11 127.0.0.1 Thu Mar 26 22:28 still logged in
ubuntu pts/10 127.0.0.1 Thu Mar 26 22:15 still logged in
ubuntu pts/9 127.0.0.1 Thu Mar 26 22:08 still logged in
ubuntu pts/8 127.0.0.1 Thu Mar 26 18:05 still logged in
reboot system boot 4.15.0-91-generi Thu Mar 26 17:28 still running
ubuntu@ubuntu:~$ last -x shutdown
wtmp begins Mon Mar 2 10:21:04 2020
结束。