journalctl -f or tail -f /var/log/auth.log shows on successful login something like this:
Jul 05 21:00:42 hostname sshd[3242155]: Accepted publickey for root from 10.9.8.7 port 53250 ssh2: RSA SHA256:GDF.......somehash..................k
that GDF…….somehash………………k is a fingerprint of publish ssh key and matches one of the entries in authorized_keys. which one?
while read -r line; do
ssh-keygen -lf <(echo "$line")
done < ~/.ssh/authorized_keyswill show you fingerprints for all of the existing authorized keys, now you can match it with the log trace of successful login.