Linux - Forensics - Get Reboot History

What the reboot history retriever does

This Automox Worklet™ leverages the `last reboot` command to extract complete reboot history from your Linux endpoints. The Worklet queries the system's wtmp and btmp log files stored in /var/log to retrieve all recorded restart events, then formats the data into a clear table showing the kernel version, day of week, date, and time of each reboot.

The Worklet processes raw log data using AWK scripting to create columns for Event, Kernel Version, Day of Week, Month, Day, and Reboot Time. This structured output is then sent directly to your Automox Activity Log, making it easy to analyze reboot patterns without manual log file inspection.

Why audit system reboot history

Tracking reboot history is critical for IT operations and security teams. Unexpected or unauthorized reboots can indicate system instability, failed updates, unauthorized access, or malicious activity. By maintaining a centralized record of all endpoint restarts, you can correlate reboots with other system events and identify anomalies that require investigation.

Compliance frameworks often require audit trails of system state changes, including restarts. This Worklet provides the forensic data needed to demonstrate compliance and support incident response investigations. You also gain visibility into whether scheduled maintenance reboots completed successfully or identify endpoints that require troubleshooting.

How reboot history collection works

1. Evaluation phase: The evaluation script exits with status 1 to always trigger remediation, verifying the reboot history collection runs every time the Worklet executes.

2. Remediation phase: The remediation script calls the get_history function, which runs `last reboot` and pipes the output through AWK to format it as a table with aligned columns, then outputs the formatted history to the Activity Log.

Reboot history collection requirements

• Linux endpoints with bash shell support

• Access to /var/log/wtmp and /var/log/btmp log files (typically available to root or Automox agent process)

• Standard Linux utilities: last, awk, printf (included in all major Linux distributions)

• Works on both workstations and servers with any recent Linux kernel version

Expected reboot audit trail after collection

When the Worklet completes successfully, your Automox Activity Log will contain a formatted table with all recorded system reboots. Each row displays the boot event, kernel version involved, day of week, month, day, and time for that reboot. This data remains in the Activity Log for historical reference and can be exported for further analysis or compliance reporting.

If the Worklet encounters an error retrieving the reboot history, it logs a descriptive error message indicating the failure. You can then check the endpoint's log files manually or verify that the Automox agent has sufficient permissions to access the wtmp log files. The structured format makes it easy to spot patterns, such as regular scheduled reboots versus unexpected restarts that may need investigation.

How to validate get reboot history changes

1. Run this Worklet on a pilot Linux endpoint and review evaluation output for get reboot history.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as exit.

4. Validate remediation effects from script operations such as function, last, exit, then rerun evaluation for compliance.