Not a simple solution, but I do monitor lots of stuff using Splunk (see my signature)
There is a specific view that show all filter rule action, so can see what is going on,
I do log my last port of chain in port-knock to Splunk, so can see who enters. So far its only me, since no automatic script tries to enter in correct order within time limit.
And I also have a strict policy, if you try to knock or test a port that is not open, block IP for 24 hours.
This way its very hard to enter my router with just trying scripted or manual.
This prevents also attack on my other ports, since many of the tester are scripts that when find one open port (eks 80), will try lots of stuff to enter.
My access list for blocked intruders do vary from 2000 to 15000 unique ip at any time.
address-list-timeout=none-dynamic
I do not give any permanent access. Just 1day. If I need permanent access, I add IP manually to the white list.