If the server(s) are located behind a firewall/router and
- (is/are located in a DMZ)? and
- (traffic is being scrubbed by an IDS)? and
- the edge firewall is configured so only LAN and VPN clients have access to it and is logging attempts and
- the server (host-based) is configured so only LAN and VPN clients have access to it and is logging attempts and
- the services on server(s) are properly configured so only LAN and VPN clients have access to it and are logging attempts
then you have more than enough data to generate reporting. You can chose for per-host reporting or you could deploy a central syslog server and for instance use Logwatch, Swatch, Logsurfer (old?) or Logsentry (old?) to generate reports. Determine if you need (near-)realtime alerting, multiple log checking tools and review the features of the products to see if they fit your requirements. See the
LQ FAQ: Security references, post #1 under "Log analysis tools, resources" for application-specific tools or Freshmeat or Sourceforge.