hm, instale o firewall csf ou o OSSEC, com a funcionalidade incorporada de que você precisa ... de acordo com a linha de assunto da sua pergunta.
Firewall do CSF:
lfd on cluster-master-acl: SSH login alert for user root from 86.234.45.45 (IE/Ireland/cm-86.234.45.045.ntlworld.ie)
Time: Fri Dec 26 13:59:51 2014 +0000
IP: 86.234.45.45 (IE/Ireland/cm-86.234.45.045.ntlworld.ie)
Account: root
Method: publickey authentication
.
lfd on web1: SU login alert - Successful login from admin(uid=0) to root
Time: Sat Dec 27 11:45:26 2014 -0500
From: admin(uid=0)
To: root
Status: Successful login
OSSEC:
OSSEC HIDS Notification.
2014 Dec 28 10:58:53
Received From: (web-node-3) 138.71.183.65->/var/log/secure
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Dec 28 05:58:49 ID13412 sudo: pam_unix(sudo:auth): conversation failed
e assim por diante na verdade, você pode modificar alertas como você precisa deles.