How to Check Linux System Reboot History and Timestamp from Logs Like /var/log/messages


3 views

To verify system reboots on Linux, the most authoritative logs are typically found in:

  • /var/log/messages (traditional syslog)
  • /var/log/syslog (modern systems)
  • /var/log/boot.log (dedicated boot records)
  • /var/log/auth.log (for shutdown/reboot commands)

Look for these telltale entries:

# Shutdown/reboot initiated by user:
Jun 15 14:30:01 server systemd[1]: Stopping User Manager for UID 1000...
Jun 15 14:30:02 server systemd[1]: Stopped target Graphical Interface.

# System coming up:
Jun 15 14:32:45 server kernel: Linux version 5.4.0-135-generic
Jun 15 14:32:46 server systemd[1]: Starting Flush Journal to Persistent Storage...

For quick analysis, these commands are invaluable:

# Show last reboot time
$ last reboot | head -n 1
reboot   system boot  5.4.0-135-generic Tue Jun 15 14:32   still running

# Alternative using who -b
$ who -b
         system boot  2021-06-15 14:32

# Filter syslog for boot messages
$ journalctl --list-boots
-1 adf1b3e7f2a... Tue 2021-06-15 14:32:47 CEST—Tue 2021-06-15 16:18:03 CEST
 0 5c3d9f4a2b1... Tue 2021-06-15 16:18:12 CEST—Tue 2021-06-15 16:35:47 CEST

For monitoring scripts, consider this Python example:

import re
from datetime import datetime

def parse_reboots(logfile='/var/log/syslog'):
    pattern = r'(\w{3} \d{1,2} \d{2}:\d{2}:\d{2}).*systemd$$1$$: Started Daily apt upgrade'
    reboots = []
    
    with open(logfile) as f:
        for line in f:
            if 'systemd[1]: Started Daily apt upgrade' in line:
                timestamp = re.search(pattern, line).group(1)
                reboots.append(datetime.strptime(timestamp, '%b %d %H:%M:%S'))
    
    return reboots

For systems using systemd (most modern distributions):

# Detailed boot performance analysis
$ systemd-analyze
Startup finished in 3.912s (kernel) + 1.783s (userspace) = 5.695s

# View all service startup times
$ systemd-analyze blame
1.532s NetworkManager-wait-online.service
1.112s apt-daily-upgrade.service

Linux systems meticulously log all significant events, including system reboots. The most reliable way to detect reboots is by examining system logs for specific markers:


# Check the last reboot time:
last reboot | head -n 1

# Alternative method using who command:
who -b

Various log files contain reboot information:


# Systemd systems (common in modern distros):
journalctl --list-boots

# Traditional syslog systems:
grep -i "system boot" /var/log/messages
grep -i "system shutdown" /var/log/messages

For more detailed analysis, use awk to extract timestamps:


awk '/system boot/ {print $1,$2,$3}' /var/log/messages

# For systems using journald:
journalctl --boot | grep "Startup finished"

Generate a comprehensive reboot history report:


#!/bin/bash
echo "System Reboot History:"
echo "---------------------"
journalctl --list-boots | awk '{print "Boot ID:",$1,"| Booted:",$3,$4,$5,$6,"| Up:",$9}'

echo -e "\nLast 5 Reboots:"
echo "--------------"
last reboot -n 5

Set up real-time monitoring for reboot events:


# Watch system logs continuously:
tail -f /var/log/messages | grep --line-buffered -i "system boot"

# Systemd alternative:
journalctl -f | grep --line-buffered -i "startup finished"

Create a cron job to log reboots to a dedicated file:


# Add to crontab (runs at startup):
@reboot echo "System rebooted at $(date)" >> /var/log/reboot-history.log