On Mon, 23 Jan 2017 14:28:33 -0400 francis picabia <fpica...@gmail.com> wrote:
> On Mon, Jan 23, 2017 at 2:18 PM, Greg Wooledge <wool...@eeg.ccf.org> > wrote: > > > On Mon, Jan 23, 2017 at 02:12:04PM -0400, francis picabia wrote: > > > I'm running Debian 8.6, and looking at old logs. I'd like to > > > confirm > > when > > > the system was rebooted to invoke the newer kernel which fixed > > > the Dirty COW bug. > > > > last | grep boot > > > > or, apparently (according to the man page): > > > > last reboot > > > > > If I have a complete > > > copy of my /var/log from last October, > > > > Urghhh. So it's not on a live system? It's on a chrooted disk > > image? Then I think you need to use: > > > > last -f /some/path/wtmp reboot > > > > where /some/path/wtmp is the location of your chrooted disk image's > > wtmp file. > > > > > I think I said I already tried that. There are no results from last > pointed to any recovered wtmp file. It is a recovery of /var/log > from backup tape. > > I even have psacct on that system. A command like > lastcomm -f pacct | grep boot > is returning nothing. How about grep -R debian-kernel /var/log/* On my system (on a workstation) it returns the last dozen boots from /var/log/kernel.log.1 and /var/log/messages.1. You'll need recent logs after the reboot, as logrotate is in action here. In the old days, dmesg.N would have stored several reboots, not on a time basis. Going back further than logrotate, it is (still) possible to pull small strings out of systemd journal files, but without timestamps, because that's the bit journald handles. Using strings /var/log/journal/*/* | grep debian-kernel will confirm the records of what kernels systemd remembers, grepping for rtc_cmos will return times of clock settings during boot. Once you see the line that the debian-kernel grep returns, you can try a direct grep with the exact kernel name to find the appropriate journal file, then using strings | grep to match kernel version to boot time. Hopefully you only need to search a couple of files if you don't boot often, but the filenames are painfully long. -- Joe
