1 Reply Latest reply on Mar 19, 2015 12:31 PM by sliedl

    Reason for reboot - logfile?

    cyberz

      Hi,

       

      in which log file can I find information about the reason for reboot?


      I have looked through audit.log and messages.log


      unfortunately I found no reason


      against 12:50 was the reboot:


      messages:

      Mar 19 12:24:03 fw-xxx sshd[40599]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

      Mar 19 12:24:03 fw-xxx sshd[40599]: fatal: Access denied by access control rule.

      Mar 19 12:31:23 fw-xxx sshd[40606]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

      Mar 19 12:31:23 fw-xxx sshd[40606]: fatal: Access denied by access control rule.

      Mar 19 12:36:13 fw-xxx sshd[40611]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

      Mar 19 12:36:13 fw-xxx sshd[40611]: fatal: Access denied by access control rule.

      Mar 19 12:45:38 fw-xxx sshd[40616]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

      Mar 19 12:45:38 fw-xxx sshd[40616]: fatal: Access denied by access control rule.

      Mar 19 12:50:41 fw-xxx ntpd[36740]: ntpd exiting on signal 15

      Mar 19 12:50:41 fw-xxx sshd[4904]: Received signal 15; terminating.

      Mar 19 12:50:51 fw-xxx ntpd[40657]: ntpd 4.2.0-r Thu Aug 11 12:41:19 CDT 2005 (1)

      Mar 19 12:50:51 fw-xxx sshd[40660]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.203 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.244 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.243 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.9 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.250 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.240 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.202 port 22.

      Mar 19 12:50:51 fw-xxx sshd[40660]: Server listening on X.X.X.38 port 22.

        • 1. Re: Reason for reboot - logfile?
          sliedl

          Do a search in the audit like this on the command-line:

          $> acat -e "cmd startmsg"

          This audit happens when the firewall boots back up.  Once you find this message you go back in the audit (back in time) and see if there is any message indicating why the firewall rebooted.  You'd run 'acat | less', hit the / key and type startmsg and hit Enter, then arrow-up to search for a message.  Most likely there will not be any indication in the audit unless you specifically rebooted the firewall with a command.

           

          Run a command to see if the partitions are full.  If a partition fills up it can cause the firewall to crash:

          $> df

          (The /dev partition will always be 100%, so ignore it)

           

          Look for core files from the time of the reboot:

          $> ll /var/crash

          $> ll /var/log/crash

          $> ll /var/diagnostic

           

          You can look in /var/log/daemond.log also to see if anything stands out.

           

          When you run 'cf package list' what is the output?  What version is this firewall running?