Ssh log monitor

Also take a look at OSSEC. The default rules can send you an email when:

• an user is created:

     Rule: 5902 fired (level 8) -> "New user added to the system" Portion
     of the log(s):
  
     Sep 20 15:29:50 SVR015-493 useradd[22825]: new user: name=x, UID=507,
     GID=512, home=y, shell=/sbin/nologin
  

• Multiple failed login attempts

     Rule: 11210 fired (level 10) -> "Multiple failed login attempts." 
  
     Aug 23 18:47:07 x proftpd[22934]:
     y(::ffff:183.106.7.2[::ffff:183.106.7.2]) - Maximum login attempts
     (3) exceeded, connection refused
  

• First time user executed sudo

     Rule: 5403 fired (level 4) -> "First time user executed sudo."
     Portion of the log(s):
  
     Jul  2 11:55:14 x sudo:   y : TTY=pts/3 ;
  PWD=/home/y ; USER=root ; COMMAND=/bin/su -
  

• Illegal root login

     Rule: 2504 fired (level 9) -> "Illegal root login. "
     Portion of the log(s):
  
     Jul  2 11:54:39 SVR4149 sshd[13558]: ROOT LOGIN REFUSED FROM x.x.x.x
  

• ...

logwatch will keep an eye out and send you daily alerts about failed logins, etc, and fail2ban will monitor connection attempts and block an IP after n-failed logins within n-seconds. there are more options here than would be wise to shake a stick at, though.

The default configuration of logwatch should do that on CentOS, with a cron.daily entry to send an email that will contain an SSHD section summarizing failed and successful logins (as well as summarizing pam_unix output scanned from /var/log/secure showing authentication failures, invalid users, etc).