cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
cyberz
Level 7
Report Inappropriate Content
Message 1 of 2

Reason for reboot - logfile?

Hi,

in which log file can I find information about the reason for reboot?


I have looked through audit.log and messages.log


unfortunately I found no reason


against 12:50 was the reboot:


messages:

Mar 19 12:24:03 fw-xxx sshd[40599]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Mar 19 12:24:03 fw-xxx sshd[40599]: fatal: Access denied by access control rule.

Mar 19 12:31:23 fw-xxx sshd[40606]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Mar 19 12:31:23 fw-xxx sshd[40606]: fatal: Access denied by access control rule.

Mar 19 12:36:13 fw-xxx sshd[40611]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Mar 19 12:36:13 fw-xxx sshd[40611]: fatal: Access denied by access control rule.

Mar 19 12:45:38 fw-xxx sshd[40616]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Mar 19 12:45:38 fw-xxx sshd[40616]: fatal: Access denied by access control rule.

Mar 19 12:50:41 fw-xxx ntpd[36740]: ntpd exiting on signal 15

Mar 19 12:50:41 fw-xxx sshd[4904]: Received signal 15; terminating.

Mar 19 12:50:51 fw-xxx ntpd[40657]: ntpd 4.2.0-r Thu Aug 11 12:41:19 CDT 2005 (1)

Mar 19 12:50:51 fw-xxx sshd[40660]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.203 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.244 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.243 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.9 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.250 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.240 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.202 port 22.

Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.38 port 22.

1 Reply
sliedl
Level 14
Report Inappropriate Content
Message 2 of 2

Re: Reason for reboot - logfile?

Do a search in the audit like this on the command-line:

$> acat -e "cmd startmsg"

This audit happens when the firewall boots back up.  Once you find this message you go back in the audit (back in time) and see if there is any message indicating why the firewall rebooted.  You'd run 'acat | less', hit the / key and type startmsg and hit Enter, then arrow-up to search for a message.  Most likely there will not be any indication in the audit unless you specifically rebooted the firewall with a command.

Run a command to see if the partitions are full.  If a partition fills up it can cause the firewall to crash:

$> df

(The /dev partition will always be 100%, so ignore it)

Look for core files from the time of the reboot:

$> ll /var/crash

$> ll /var/log/crash

$> ll /var/diagnostic

You can look in /var/log/daemond.log also to see if anything stands out.

When you run 'cf package list' what is the output?  What version is this firewall running?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community