Whois is all you need to know who was doing what. I recommend that you download and install snorth and its signatures, let it run for a while, and then keep checking what every event that shows up is. Snort (as well as others) will vividly describe what it sees and why it thinks its bad. Just remember, IDS boxes are just like AV software, they only detect 'known attack signatures'. They could, depending on how the filter is written, miss an attack that has been modified, or varients of the same attack. In other words, you will not be able to see everything that has been going on, but usually enough to know someone was up to no good...

neb