Have a look at the file /etc/syslog.conf and its man page with
man syslog.conf. At default settings, my box here (Slackware) logs failed logins at the terminal to /var/log/secure:
Code:
Mar 25 15:34:44 fender login[5734]: invalid password for `oracle' on `tty6'
It also logs failed ssh attempts to /var/log/messages:
Code:
Mar 24 10:05:50 fender sshd[18451]: Invalid user jabber from 217.23.151.106
Were you looking at ways of sending your log files to a remote server in case the attacker got in?