Are you interested in being alerted each time someone fails to log in or each time someone successfully logs in?
If you're interested in the failures, here is how to do it:
Create a Detection policy with the File Watch category. Enable the options shown in the screenshot:
Leave the "Type of diff algorithm" as the default value (Text).
In "List of patterns" add the following two entries:
com.symantec.sis.common.auth.AuthenticationException: Invalid password
com.symantec.sis.common.auth.AuthenticationException: Invalid user name
In "List of Files to Watch" add the following entry:
C:\Program Files (x86)\Symantec\Critical System Protection\Server\tomcat\logs\sis-console.0.log
In mine, I only configured it to Record Event to SCSP Console, but you may use the Execute Command feature to send a notification email.
If you are interested in being notified for successful logons, the sisconsole logging level will need to be increased to TRACE, which is a pretty verbose logging level. If you're okay with that let me know and I'll look into what line is generated upon a successful login.