If the server was rebooted by a logged in user last | less
command will give you a history of people logged into the machine, time of log in and the IP of the connecting device. Search for a time that the server was rebooted and check who was logged in at that time.
If there were multiple users logged in at that time and you have root access you can check .bash_history
files in the profile directories (for CentOS should be found somewhere in /home
e.g if your server is part of a domain /home/domain/username ).
If you're greping for a "reboot" command specifically I'd also note that shutdown -r
also reboots the server so don't be caught out.
ssh
look inauth.log
to see who was logged in around that time.reboot
... and I want to know which IP he have/log/var/
I don't haveauth.log
- I read about that all is passed to/var/log/secure
but there I couldn't evengrep reboot
anything