With the release of 10.4, Apple has changed logging for ssh. I used to keep an eye on break-in attempts to my home computer (see this hint), which has SSH login enabled so I can log in from work.
After I installed Tiger, I didn't see any more attacks, which was quite odd. After some digging, I found that Apple is changing the logfile system, and plans for further changes in the future (see man syslogd for a bit more detail). The upshot of all this is that to get a service to log correctly, an entry is needed in the file /etc/syslog.conf, which is documented in the syslog.conf help file (man syslog.conf).
The short of it is that you need to look at the file /etc/sshd_config, and find the logging section. There you should see this:
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
This shows you sshd's log settings, which you need for the next step. Edit the file /etc/syslog.conf with some text editor (and sudo) and change this line (the second line in the file):
*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit
/var/log/system.log
You need to add ;auth.info immediately after mail.crit (before the Tab that preceeds the /var/log... bit). Save the file and either reboot (ugly) or restart the syslog daemon with this command:
sudo kill -HUP `cat /var/run/syslog.pid`
What you have done is added a directive to syslog.conf to inform syslogd that log requests from auth at level info and above should be logged in the system log file. Then you signaled syslogd to reload the configurations (those are back ticks (the key just under the esc key)). Presto, login attempts are now back in the system log.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20051012162448301