AnsweredAssumed Answered

privilege escalation log parsing

Question asked by RSA Admin Employee on Jun 18, 2015
Latest reply on Jun 21, 2015 by Rahul Lohar

When i check a privilege escalation log for a unix machine in Event reconstruction Tab under log view i can it as "su: from root to abcd at /dev/tty??

but when i check the same in the meta view the account abcd in categorized in user.src  and root in user.dst

 

which one is correct is it "root to abcd" or "abcd to root"??

 

and how does the account in from (from the log view) went to destination user field?

please help..

Outcomes