We had a system go offline this morning. The only thing in syslog is:
Mar 20 15:27:15 fooserver systemd[1]: Received SIGINT.
Mar 20 15:27:15 fooserver systemd[1]: Starting Synchronise Hardware Clock to System Clock...
Mar 20 15:27:15 fooserver systemd[1]: Stopping system-ifup.slice.
Mar 20 15:27:15 fooserver systemd[1]: Removed slice system-ifup.slice.
Mar 20 15:27:15 fooserver rsyslogd: [origin software="rsyslogd" swVersion="8.4.2" x-pid="579" x-info="http://www.rsyslog.com"] exiting on signal 15.
Then a five hour gap until it was manually restarted.
When it came back up, everything operated as it should.
No other log files (I grepped for this time period in everything that was in /var/log) show anything unusual.
The best I've got so far is someone was in the equipment room and pressed the button (accidentally). But that's thin. Only a few people have access, and I don't think any were on site at that time.
Is there anywhere else to look for this? Or, perhaps, anything else I could set to monitor for this for next time?
I currently have this command running in screen trying to catch it for next time:
sysdig -p '%proc.pname[%proc.ppid]: %proc.name -> %evt.type(%evt.args)' evt.type=kill
0 Answers