Cybersecurity Triage
Show Accepted SSH Logins
You need to find successful SSH public-key logins in an auth log.
Command
grep 'Accepted publickey' logs/auth.logWhat changed
Nothing changes. The command filters successful public-key login lines.
Danger
safe
When to use it
Use when building a quick access timeline or checking unexpected SSH access.
When not to use it
Do not assume password logins are absent unless you also search other Accepted patterns.
Undo or recovery
No undo needed because this command is read-only.
Expected output
Accepted public-key login lines including user and source IP.
demo script
Disposable terminal steps
grep 'sshd' logs/auth.loggrep 'Accepted publickey' logs/auth.log
simulated output
What it looks like
::fixture-ready::
$ grep 'sshd' logs/auth.log
Jun 25 12:00:01 vps sshd[1001]: Failed password for invalid user admin from 203.0.113.44 port 51122 ssh2
Jun 25 12:00:03 vps sshd[1002]: Failed password for root from 203.0.113.44 port 51124 ssh2
Jun 25 12:01:10 vps sshd[1003]: Failed password for deploy from 198.51.100.77 port 41002 ssh2
Jun 25 12:02:44 vps sshd[1004]: Accepted publickey for alex from 198.51.100.20 port 50222 ssh2
::exit-code::0
$ grep 'Accepted publickey' logs/auth.log
Jun 25 12:02:44 vps sshd[1004]: Accepted publickey for alex from 198.51.100.20 port 50222 ssh2
::exit-code::0
YouTube Short
Find successful SSH logins.
In first response, filter accepted SSH logins so real access stands apart from failed noise.
LinkedIn hook
During first response, successful logins matter more than background noise.
Question: Do you separate successful SSH logins from failed noise first?
experiments
A/B tests to run
Metric: watch_time
A: Successful access first.
B: Separate signal from SSH noise.