When i check a privilege escalation log for a unix machine in Event reconstruction Tab under log view i can it as "su: from root to abcd at /dev/tty??
but when i check the same in the meta view the account abcd in categorized in user.src and root in user.dst
which one is correct is it "root to abcd" or "abcd to root"??
and how does the account in from (from the log view) went to destination user field?