Skip to content
AIR Knowledge Base

Boot Logs

Overview

Section titled “Overview”

Evidence: Boot Logs
Description: Collect Boot Logs
Category: System
Platform: aix
Short Name: bootl
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes

Background

Section titled “Background”

AIX boot logs are stored in /var/adm/ras/bootlog and contain boot sequence information, initialization messages, and startup errors. The wtmp file tracks user login history and system reboots, providing important timeline information.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about boot logs.

Collection Method

Section titled “Collection Method”

This collector gathers AIX boot logs from /var/adm/ras/bootlog* and wtmp files from /var/adm/wtmp*, capturing system boot history and user login tracking.

Forensic Value

Section titled “Forensic Value”

AIX boot logs are valuable for investigating system startup anomalies, persistence mechanisms, boot-time malware, and establishing system reboot timelines. They help understand system initialization and identify unauthorized system modifications.

Notes

Section titled “Notes”

Artifact collector for AIX. Locations: /var/adm/ras/bootlog*, /var/adm/wtmp*