Hello there I'm trying to find out who made last reboot on my server.
I know commands last reboot | head -1 and last -d reboot but they don't show IP from what client IP it was done.
I have Linux CentOS7 server.
I know it's kinda difficult to find, but maybe someone can help, I don't have now any ideas.
Regards
If the server was rebooted by a logged in user last | less command will give you a history of people logged into the machine, time of log in and the IP of the connecting device. Search for a time that the server was rebooted and check who was logged in at that time.
If there were multiple users logged in at that time and you have root access you can check .bash_history files in the profile directories (for CentOS should be found somewhere in /home e.g if your server is part of a domain /home/domain/username ).
If you're greping for a "reboot" command specifically I'd also note that shutdown -r also reboots the server so don't be caught out.
I would suggest to track first users, who issued reboot command, which can be done using linux audit system. See the answers here for details. Then, when you know the user name, you can proceed to tracking IP.
sshlook inauth.logto see who was logged in around that time.reboot... and I want to know which IP he have/log/var/I don't haveauth.log- I read about that all is passed to/var/log/securebut there I couldn't evengrep rebootanything