Uses SO_PEERCRED to find the PID/UID/GID of the application using syslog.

Sample config:
	filter f_sshd { uid(0) and program("sshd"); };
	filter f_sshdu { not uid(0) and program("sshd") and pid(); }; #pid() checks PID in message is correct

	destination sshd { file("/var/log/sshd.$YEAR$MONTH"
		template("$DAY $HOUR:$MIN:$SEC $MSG\n") template-escape(no)); };
	log { source(local); filter(f_sshd); destination(sshd); };
	
	destination usshd { file("/var/log/sshd.$YEAR$MONTH"
		template("$DAY $HOUR:$MIN:$SEC $PROGRAM[$PID]: ($FROM_USER) $MSGONLY\n") template-escape(no)); };
	log { source(local); filter(f_sshdu); destination(usshd); };

* Allows log messages from sshd as root and from sshd as a user to be distinguished
* Further processing of the log can be assured of the authenticity of the message
* No need to restrict access to /dev/log and lose otherwise useful logging

Sample log:
	sshd[30955]: Connection from 0.0.0.0 port 0
	sshd[30955]: Failed none for nobody from 0.0.0.0 port 0 ssh2
	sshd[30955]: (nobody) Found matching DSA key: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
	sshd[30955]: (nobody) Found matching DSA key: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
	sshd[30955]: Accepted publickey for nobody from 0.0.0.0 port 0 ssh2
	sshd[30957]: (nobody) Connection closed by 0.0.0.0
	sshd[30957]: (nobody) Closing connection to 0.0.0.0