I am looking for a way to view the log file(s) of when a user used their local admin account to give permission for system changes. Such as installing an application or using the sudo command in the terminal. Does anyone know if or where a log file like that lives on the machine? Thanks for the help.
This would be stored in the console logs locally on the device. Unfortunate these longs are a bit convoluted to read. They will tell you an account was promoted to admin, but not by who or who was promoted. You have to dig in to other logs to see who authenticated at the time the account was promoted to admin. I have only seen these logs when streaming logs, I am not sure where/if they are “permanently” stored. If you are needing this information, your best option is to get a SIEM redirection tool and monitor the logs.