I'm familiar with using log show | grep 'sshd: error: PAM: authentication error for $user from $ip_address'
to look through failed logon attempts from various IP addresses.
Is there an equivalent log that gets written whenever a successful SSH connection gets established and authenticated (ideally it would contain information about the client IP address).
I've looked throughout my log files and there does not seem to be logs that record successful logins.
Best Answer
The successful SSH logins are logged in e.g.
/var/log/auth.log
with:Or, in case of publickey authentication: