security

[Dustin Kempter]

We've looked in /var/log/messages, and in the /var/log/security file

No smoking gun, only thing we have so far is this:


In the postgres log we see this:
2014-03-07 15:58:09 MST [27223]: [18-1] db=,user=,host= LOG:  received
smart shutdown request

Indicating the db received a shutdown request, this can be only run 2 ways:
1) via pg_ctl as the postgres user
2) as a service as root

we looked at the .bash_history file for postgres and see no entries for
pg_ctl
however we do see the service stop command in the root .bash_history file,
but we have no
timestamps in the bash_history file

Are there other log files we can leverage for this search?


On Tue, Mar 11, 2014 at 11:30 AM, Dustin Kempter <
dustink at consistentstate.com> wrote:

> Hi,
>
> we have a server (CentOS 6.4) running PostgreSQL, recently someone shut
> the db down and we want to find out who did this...
>
> I see the db shutdown request in the postgresql log, and I suspect it was
> run as root (as a service) because we do not see any relevant shutdown
> commands in the postgres user's bash history file
>
> Can someone point me in the right direction per figuring this out, who ran
> the command (I suspect it was root)? If so, where did the offending login
> come from (I.P.)? etc...
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20140311/0ae3f435/attachment.html>