Lastly i sat in a meeting and suddenly my vnc session to my workstation was killed. First, i thought we had some network problems, but i encountered my workstation was rebooted!
But how to figure out, who this was?
Luckily there’s a nice command called: last.
# Show last logged in users last
This command basically uses the file /var/log/wtmp as it’s source. After a reboot this file seems to be rewritten, unfortunately.
# This file only goes back to the last reboot, so we need # to look around to find pevious version ls /var/log/wtmp* # => Output (filenames depend on your machine configuration, # i have a RHEL 7 box) wtmp-20160114 # the file itself is not human readable but could be used # as input for last last -f /var/log/wtmp-20160114
Now could clearly see, who was the bad guy …