Linux

Log Triage:

Read Audit.log files: 

ausearch -if /path/to/your/audit.log 
# can specify date range by -st -et (start / end)

Sessions: 

sudo grep -rniE "session opened for|accepted password|new session|not in sudoers" -i /var/log/

Login logs:

stored within either wtmp or utmp, can be executed as:

last #for the local system 
#or 
last -f /path/to/wtmp
PreviousBulkExtractor & BulkExtractor-RecNextAzure

Last updated