how to audit a reboot?

in linux, you would have to have the auditd daemon running. I believe it usually is by default.

# this will work for both the older sysinit linux as well as newer systemd linux

service auditd [start | stop | status]

having the default audit.conf and audit.rules file I believe will put enough information in /var/log/audit/audit.log where one can easily recognize a reboot. So you don't have to manually add any special audit rule.

The raw linux audit log... is raw... not easily human readable. The date is in epoch format. However if you were to do this

service auditd stop
rm /var/log/audit/audit.log
service auditd start
reboot

login in
immediately edit audit.log to see what happened before it fills up making it harder to see

the beginning of that audit.log will show exactly what gets logged when a reboot happens and what happens upon boot. You should be able to easily recognize it, it will all be in the top of that new audit.log file. And it will likely be 50+ lines worth, I know it is using rhel 7 for example. Whether you can identify a reboot happening to a single line in audit.log I'm not sure.

I'm not sure if that raw audit log syntax varies with linux distribution, and it probably does with the varies versions of audit there are. Which is why it would be best to specifically look on your system to see what it is.

For dealing with that epoch date in the audit log:

https://unix.stackexchange.com/questions/2987/how-do-i-convert-an-epoch-timestamp-to-a-human-readable-format-on-the-cli