Or are you talking about the web server's
Basic Authentication rather than SSH?
If so, and you are using the
Combined Log Format for Apache, then you could start to look for it by looking for status code 401 Unauthorized in the logs where there is also a user name given:
Code:
awk '$9=="401"&&($2!="-"||$3!="-")'
Which log format are you using for Apache at the moment?