Recently we had an issue with some Admin Console functionality not working quite correctly, and the usual "zmsshkeygen + zmupdateauthkeys" trick did not solve the problem.
We knew we had an ssh issue somewhere (the Admin Console in a multi-server makes extensive use of ssh to gather data from all of the servers), but finding it was a challenge as SLES was not logging the ssh auth failures Zimbra was reporting.
We did solve the problem, but wanted to improve ssh logging in case we had a similar problem in future.
What we wanted was a dedicated file for ssh activity, and a separate dedicated file for ssh errors. We don't allow ssh from outside, but we know many sysadmins need to allow ssh access to their Zimbra servers.
We fortunately found this article:
Syslog-ng - SSH Logging | Novell User Communities
It specifically works only for syslog-ng as found on SLES, but the concept is applicable to all operating systems.
We think this will improve troubleshooting in the future, and if you do need to keep ssh open on your firewall to the outside, you will now have a single log file in which you can see all failed login attempts.
Hope that helps!
All the best,
Mark
__________________
___________________________________
L. Mark Stone, CIO 
"Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
Bugzilla
Wiki
Source
Dedicated SSH Logging for Multi-Server Installations on SLES 
Linear Mode
