How would you detect a privilege escalation (via super user like ‘Ubuntu’ and ‘sudo su’) using OS Query? I thought about reading the auth.log, but that’s not being pulled into Kolide atm.