Does this log indicate the server reboooted?

syslog

I have a webserver I think rebooted at some point .. mostly because apache wasn't serving sites and it usually does that when someone starts it and doesn't enter the SSL cert's password ... and a reboot/start fixed the problem. Looking around in /var/log/messages, the very first log entries today are:

Jun 30 05:17:40 localhost kernel: imklog 4.2.0, log source = /proc/kmsg started.
Jun 30 05:17:40 localhost rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="393" x-info="http://www.rsyslog.com"] (re)start
Jun 30 05:17:40 localhost rsyslogd: rsyslogd's groupid changed to 103
Jun 30 05:17:40 localhost rsyslogd: rsyslogd's userid changed to 101

I'm assuming that means it was a reboot, but I know so little about real server administration, I wanted to verify this. I can post the rest of messages if it would be helpful. The entry prior to these, was the following once per day:

Jun 29 06:34:11 localhost rsyslogd: [origin software="rsyslogd" swVersion="4.2.0" x-pid="350" x-info="http://www.rsyslog.com"] rsyslogd was HUPed, type 'lightweight'.

So do these indicate a server reboot as I am guessing? Is there any way to determine what caused the reboot? Or if a person did it?


Easiest way to see if it recently rebooted is just to type,

uptime

If you want to check over intentional reboots, then type,

lastlog

If there is no record of a deliberate reboot or power button press, yet it had restarted, you'll have to begin a standard diagnostic procedure to find out why it restarted. Start by looking ar server graphs for memory over allocation or overheating. There are quite a few things that can cause random reboots that won't log (kernel panic, watchdog etc.) - but remotely logging the serial console will give you this vital information.


uptime will show you how long it's been up since the last reboot.

last will show you the last logged in users, and it will also show you if it detects a regular reboot request.

who will show you who is logged on now. Make sure that you are the only one logged in or that you can account for all connections.

Of more importance are the lines before that syslog line. It might give us something, and it might not. Contact whomever is hosting your server and see if they had some kind of scheduled or unscheduled power outage or reboot. The most concerning thing is not that the server was rebooted, but that it was done without your knowledge. Also note that flaky or failing hardware can sometimes reboot on its own, so contacting your hosting provider to find out if they did it or detected anything should be your first step.

Related

Should a foreground program invoked by a daemon split logging between stderr and stdout based on severity levels?
Change php error reporting to hide warnings for specific site only [Debian|Ubuntu]
How to schedule a task to run every x-minutes on Windows Server 2003 R2
Openvpn server not forwarding ping traffic from tun0 to eth0 for rest of the hosts in the subnet
Unable to use autossh in background even with absolute path
Test a server for byte range support?
How to add debian "testing" repository to apt-get [duplicate]
Add a Home directory for already created user when no direct root login available
Parseable NGINX accesslog files with delimiters
PHP-FPM service status `stop/waiting` but workers are running?
How do I configure an NFS server to accept all mount requests?
Rewrite Rule before Proxypass