Update syslog to log sshd stuff seperately.

etc/logrotate.d/syslog

@@ -1,4 +1,4 @@
-/var/log/httpd /var/log/messages /var/log/php /var/log/smtp {
+/var/log/httpd /var/log/messages /var/log/php /var/log/smtp /var/log/sshd {
 	sharedscripts
 	postrotate
 		/bin/kill -HUP $(cat /run/syslogd.pid) >/dev/null 2>&1 || true

etc/syslog.conf

@@ -4,8 +4,13 @@
 #   * Set the correct ownership+permissions on the file
 #   * Update /etc/logrotate.d/syslog with the changes
 
-auth.*						/var/log/messages
+!sshd
-authpriv.*					/var/log/messages
+auth.*						/var/log/sshd
+authpriv.*					/var/log/sshd
+
+!*
+auth.alert					/var/log/messages
+authpriv.warn					/var/log/messages
 cron.*						/var/log/messages
 daemon.*					/var/log/messages
 ftp.*						/var/log/messages
@@ -18,7 +23,7 @@ user.*						/var/log/messages
 uucp.*						/var/log/messages
 
 # fail2ban (custom configuration) uses local0.
-local0.*					/var/log/messages
+local0.*					/var/log/fail2ban
 # named (custom configuration) uses local1.
 local1.*					/var/log/messages
 # spamd is started with '-s local2'.