Which log should a security administrator audit on a compromised server?

The audit log is essential for a security administrator to review on a compromised server because it provides a comprehensive record of various activities and changes that have occurred on the system. This log captures information about user activity, including successful and failed logins, system changes, and other significant events that could indicate malicious activity or security breaches.

By examining the audit log, the security administrator can trace back the actions taken on the server before the compromise, which aids in understanding how the attack occurred and what vulnerabilities were exploited. This critical insight not only helps in remediation efforts but also assists in improving overall security measures to prevent future incidents.

Other logs, while they may provide valuable information, do not offer the same level of comprehensive monitoring of user actions and system changes. Access logs primarily focus on user access attempts, error logs document issues and failures, and configuration logs track changes to settings and configurations, but they do not compile the same breadth of security-relevant information as the audit log does. Therefore, the audit log is the most relevant for investigating a compromised server.