Auditing should be enabled for key events such as failed logon attempts. See the Administrator's Guide or the Trusted Facility Guide for more details.