awk — Auth Logs

Failed SSH attempts — extract IP and username

journalctl -u sshd --since "1 hour ago" --no-pager | awk '/Failed password/ {print $(NF-3), $(NF-5)}'

Count failed SSH logins per IP — top offenders

journalctl -u sshd --since "1 hour ago" --no-pager | awk '/Failed password/ {ip[$(NF-3)]++} END{for(i in ip) print ip[i], i}' | sort -rn

Successful SSH logins today

journalctl -u sshd --since today --no-pager | awk '/Accepted/ {print $1, $2, $3, $9, $11}'

Accepted vs failed SSH ratio

journalctl -u sshd --since today --no-pager | awk '/sshd/ {if(/Accepted/) a++; if(/Failed/) f++} END{printf "accepted=%d failed=%d ratio=%.1f%%\n",a,f,a>0?(a/(a+f))*100:0}'

PAM authentication failure events

journalctl --since today --no-pager | awk '/pam_unix.*authentication failure/ {print $1, $2, $3, $NF}'

Track sudo usage — who ran what

journalctl --since today --no-pager | awk '/sudo:/ && /COMMAND/ {match($0,/USER=([^ ]+)/,u); match($0,/COMMAND=(.+)/,c); printf "%-12s %s\n",u[1],c[1]}'