Skip to main content
Question

How to view log files of users who used the sudo command or used admin access

  • August 18, 2023
  • 1 reply
  • 0 views

Forum|alt.badge.img+5

Hello All,

Happy Friday! 

 

 I am looking for a way to view the log file(s) of when a user used their local admin account to give permission for system changes. Such as installing an application or using the sudo command in the terminal. Does anyone know if or where a log file like that lives on the machine? Thanks for the help.

1 reply

AJPinto
Forum|alt.badge.img+26
  • Legendary Contributor
  • 2717 replies
  • August 18, 2023

This would be stored in the console logs locally on the device. Unfortunate these longs are a bit convoluted to read. They will tell you an account was promoted to admin, but not by who or who was promoted. You have to dig in to other logs to see who authenticated at the time the account was promoted to admin. I have only seen these logs when streaming logs, I am not sure where/if they are “permanently” stored. If you are needing this information, your best option is to get a SIEM redirection tool and monitor the logs. 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings