I've made a perl script to do this.  I first made a master log by
doing:

	cd /var/log
	( cat auth.log auth.log.0 ; zcat auth.log*.gz) > /tmp/auth.log

Unfortunately this is only the last month or so.  I have reconfigured
logrotate to hold auth.log for 4 months.  I then invoked the perl
script
as:

	/www/scripts/find_logins.pl /tmp/auth.log


auth.log is just a log generated by syslogd for all programs using the
auth or authpriv facilities.  The entries are in syslog format, but apart
from that, vary.  See the Perl script I wrote to see what regex patterns
I'm matching against.  Basically I'm looking at PAM session opens, imap
logins, pop logins, and ssh logins.  That should cover all the ways people
can authenticate to the system.