Boot Logs

Overview

Evidence: Boot Logs Description: Collect Boot Logs Category: System Platform: aix Short Name: bootl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

AIX boot logs are stored in /var/adm/ras/bootlog and contain boot sequence information, initialization messages, and startup errors. The wtmp file tracks user login history and system reboots, providing important timeline information.

Data Collected

This collector gathers structured data about boot logs.

Collection Method

This collector gathers AIX boot logs from /var/adm/ras/bootlog* and wtmp files from /var/adm/wtmp*, capturing system boot history and user login tracking.

Forensic Value

AIX boot logs are valuable for investigating system startup anomalies, persistence mechanisms, boot-time malware, and establishing system reboot timelines. They help understand system initialization and identify unauthorized system modifications.

Notes

Artifact collector for AIX. Locations: /var/adm/ras/bootlog*, /var/adm/wtmp*