Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

Restart detection for a Linux server

Hi ,

I have created a rule to detect whether any of the linux server in my datacenter is restarted. In case any such event occurs the rule should fire, for this i used normalized rule of system shut down and abnormal shutdown.

This was working well when a serve which has weblogic running on it went down but recently my other server wend down an we didnt get any alarm for it. Can any one help me in suggesting any other method to detect shutting down or restart of a linux server. Is there a uniform log we receive from linux when the system goes down.


Ravi Mallah

3 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 4

Re: Restart detection for a Linux server

I ran some tests across a couple of distributions and I don't see a consistent and reliable indicator in the logs that a system is going down every time. And that's when I'm intentionally shutting it down. I have no chance to get a log when there is a power outage or other external factors. I think system availability is a great use case however I think that the data source should be collected from a 3rd party device like the network monitoring tool. Do you use something like Nagios on your network that could generate up/down events for you?

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: Restart detection for a Linux server

Hi Andy

I don't tools like Nagios , but i do have a test setup and i have tried shutting the system down with command and by turning the power off also, similar to your finding even i am unable to detect any uniform patter or service which may be used to trigger alarm for system going down.

Have you ever tried the out of the box normalized rule for detection of system shutdown/Restart.

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: Restart detection for a Linux server

Thank you for that idea. You're able to go into the Policy Editor and filter the rules under both ASP and Data Source for the Normalized ID and see all of the events that are mapped to it. I don't see any events that are in the Linux rule set so we know the SIEM agrees there's not a common Linux shutdown log.


As I said though, I like the use case even if we need to get a little creative with it. Some of the options to consider might be:

1. Consider any boot-up logs that you see consistently. Is there anything unique enough that you would only see it on an actual boot as opposed to just a service restart? For instance, one thing I do consistently see is syslog starting back up, but I get the same messages when I restart the service so it's not definitive.

2. You could use a shell alias in the login scripts:

alias reboot="logger -n x.x.x.x $(echo "REBOOT issued for $HOSTNAME by $USER from $SSH_CLIENT");reboot"

alias halt="logger -n x.x.x.x $(echo "HALT issued for $HOSTNAME by $USER from $SSH_CLIENT");reboot"

alias shutdown="logger -n x.x.x.x $(echo "SHUTDOWN issued for $HOSTNAME by $USER from $SSH_CLIENT");reboot"

3. You could use a wrapper around the binaries.

cat /sbin/reboot


logger -n x.x.x.x $(echo "REBOOT issued for $HOSTNAME by $USER from $SSH_CLIENT")


Then a simple regex to parse the line might look like:


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community