Auth.log / usernames
From Andreida
invalid users
grep -o 'invalid user.*' /var/log/auth.log | cut -d ' ' -f3 | sort | uniq -c | sort -n
successful logins
grep -o 'New session .*' /var/log/auth.log | cut -d ' ' -f6 | cut -d '.' -f1 | sort | uniq -c | sort -n
These are only direct and ssh logins. Not - for example - logins to Dovecat/Exim4.
If you want to know more about a certain user's logins, a start would be - example user 'root' -
grep 'New session [0-9]* of user root' /var/log/auth.log
