Syslog analysis: Investigating the cause of system reboot in Linux systems

In this page

  • Introduction
  • How is a reboot event recorded
  • Gaining insights on Linux reboot events

In a network, there may be several reasons for a system to shutdown or reboot. Some of the common reasons are:

  • Power failure
  • Software/hardware error
  • Memory failure
  • Unauthorized user action

You should regularly monitor the Syslogs to obtain information about the reboots and shutdowns as they are critical system events.

A user inside the network using a Linux system, can run a command to shutdown the system. The basic syntax to shutdown a system in Linux is shutdown [OPTIONS] [TIME] [MESSAGE].

If a user shuts down a system manually by running a command, it can be identified by checking the auth log file. An individual user can login remotely and shutdown a system.

How is a reboot event recorded

Dec 24 21:03:38 ip-172-31-34-37 sshd[1172]: pam_unix(sshd:session): session opened for user joker by (uid=0)
Dec 24 21:03:38 ip-172-31-34-37 systemd: pam_unix(systemd-user:session): session opened for user joker by (uid=0)
Dec 24 21:03:41 ip-172-31-34-37 sudo: joker : TTY=pts/0 ; PWD=/home/joker ; USER=root ; COMMAND=/sbin/shutdown -r now

In the above event, the user 'joker' has logged into the network remotely and has executed the reboot command. This is an example of an unauthorized activity. To mitigate the impact of such critical events, it's necessary to obtain real-time alerts. This is difficult while managing logs manually.

Though every instance of server restart can be obtained by searching the kernal logs, manually sifting through the syslogs can be time-consuming and tiring. A log management solution can collect and parse log data into meaningful information and generate out of box reports.

Gaining insights on Linux reboot events

EventLog Analyzer, a comprehensive log management solution can help you to monitor and secure your network. This solution can provide real-time alerts and generate exhaustive reports for critical events such as the system shutdown, reboot, etc.

how-to-investigate-a-system-reboot-linux-log-analysis

What's next?

Pinpoint system reboot causes with EventLog Analyzer’s centralized event correlation and root cause analysis capabilities.