Alpine Linux

Looking at sshd default config you will notice that SyslogFacility is commented out and indicates that sshd is reporting as 'AUTH'.
But sshd is not reporting as 'AUTH'! Not even when you uncomment the 'SyslogFacility AUTH' section in /etc/ssh/sshd_config.

# grep -i facility /etc/ssh/sshd_config
#SyslogFacility AUTH

The problem can be recreated with:

# apk version -v | grep -i "^openssh" 
openssh-client-5.6_p1-r1                = 5.6_p1-r1
openssh-5.6_p1-r1                       = 5.6_p1-r1

There is no problem with (aka. works fine in):

# apk version -v | grep -i "^openssh" 
openssh-client-5.2_p1-r3                < 5.3_p1-r0
openssh-5.2_p1-r3                       < 5.3_p1-r0

There is no problem with (aka. works fine in):

# apk version -v | grep -i "^openssh" 
openssh-client-5.3_p1-r0                = 5.3_p1-r0
openssh-5.3_p1-r0                       = 5.3_p1-r0

This is how I found the bug:

On a host that is supposed to gather all logs

apk add sysklogd

Make sure that /etc/syslog.conf has the following record:

auth,authpriv.*            /var/log/auth.log

Make sysklogd listen to other hosts (/etc/conf.d/sysklogd):

SYSLOGD="-m 0 -r" 

Start tailing /var/log/auth.log
Next we need to tell the other linux boxes to send their logs to this 'logging server'.
(If the remote box is using sysklogd then add the following to /etc/syslogd.conf)

*.*                @IP.TO.LOG.SRV

The logserver still gets all logs (they end up in /var/log/syslog), so I get the sshd logs to the logserver, they just dont end up in the right place because the LogFalility (or something else) is wrong.

I assume you should be able to do this debugging with a single box, but I described how I noticed the error just in case the error is related to remote logging.