You need to dig in the system logs. I would use the console. SSH to your IPFire and use:
cat /var/log/messages | grep "ipfire shutdown"
Keep in mind that the logs are rotated periodically and the older ones are gzip archived. In that case you could use zcat instead of cat:
zcat /var/log/messages.1.gz | grep "ipfire shutdown"
the scheme of the archiving is
messages.n.gz, where n is an incremental number, and the most recent archived log is
messages.1.gz while the oldest is
Once you identify the exact moment of the reboot and in which archive it was logged you can zoom in and see what happened next, by using -An and -Bn grep switches. Where -An shows n lines after the positive term found by grep and -Bn shows n lines before.
For example, in my case the last reboot was logged in
messages.3.gz. If I want to see one line before the reboot, and 5 lines after I type:
zcat /var/log/messages.1.gz | grep -A5 -B1 "ipfire shutdown"
and this is what I get:
Jun 14 14:20:52 ipfire ipfire: Rebooting IPFire
Jun 14 14:20:52 ipfire shutdown: shutting down for system reboot
Jun 14 14:20:52 ipfire init: Switching to runlevel: 6
Jun 14 14:20:58 ipfire squid: Squid Parent: squid-1 process 18486 exited with status 0
Jun 14 14:20:59 ipfire squid: squid shutdown time: 6 seconds
Jun 14 14:21:00 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00:0d:b9:42:68:92:00:00:f7:f7:02:56:08:00 SRC=18.104.22.168 DST=cut LEN=40 TOS=0x00 PREC=0x00 TTL=231 ID=18384 PROTO=TCP SPT=54126 DPT=53033 WINDOW=1024 RES=0x00 SYN URGP=0
Jun 14 14:21:02 ipfire ntpd: ntpd exiting on signal 15 (Terminated)
Jun 14 14:26:59 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00:0d:b9:42:68:92:00:00:f7:f7:02:56:08:00 SRC=22.214.171.124 DST=cut LEN=40 TOS=0x00 PREC=0x00 TTL=233 ID=54321 PROTO=TCP SPT=44799 DPT=18245 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 14 14:27:00 ipfire shutdown: shutting down for system reboot
Jun 14 14:27:00 ipfire init: Switching to runlevel: 6
Jun 14 14:27:00 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC=00:0d:b9:42:68:92:00:00:f7:f7:02:56:08:00 SRC=126.96.36.199 DST=cut LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=54321 PROTO=TCP SPT=42017 DPT=83 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 14 14:27:06 ipfire kernel: DNAT IN=red0 OUT= MAC=00:0d:b9:42:68:92:00:00:f7:f7:02:56:08:00 SRC=188.8.131.52 DST=cut LEN=64 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=50640 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 14 14:27:06 ipfire kernel: FORWARDFW IN=red0 OUT=orange0 MAC=00:0d:b9:42:68:92:00:00:f7:f7:02:56:08:00 SRC=184.108.40.206 DST=10.1.2.100 LEN=64 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=TCP SPT=50640 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 14 14:27:06 ipfire kernel: IPv4: martian source 220.127.116.11 from 10.1.2.100, on dev green0
as you can see, the kernel keeps logging everything and therefore you have also events uncorrelated to what you are looking for and it might be necessary to zoom in more deeply, like using “-A20”.
A quick and dirty way to search all the archived logs in one go, is to use in the prompt of the console a one line shell script like this:
for LOG in /var/log/messages.*; do zcat $LOG | grep "ipfire shutdown"; done
There is more the one way to search the log. This is just how I do it.
Edit: I forgot, there is a very handy version of grep that directly reads a gzip file,
zgrep. This simplify the command line by eliminating completely zcat. This is useful if you want to know which file contains the log of interest.
for LOG in /var/log/messages.*; do zgrep -l "ipfire shutdown" $LOG; done
If you want to see the matched line AND the file where it was matched, instead of
-l switch you can use the
for example, in my system:
for LOG in /var/log/messages.*; do zgrep -H "ipfire shutdown" $LOG; done
gives me this (cut after third line):
/var/log/messages.10.gz:Apr 30 10:26:30 ipfire shutdown: shutting down for system reboot
/var/log/messages.11.gz:Apr 23 19:50:46 ipfire shutdown: shutting down for system reboot
/var/log/messages.12.gz:Apr 15 17:24:44 ipfire shutdown: shutting down for system reboot