OK, then I'm going to re-open this.
The logging format should be consistent between the two, with proper identifiers in place to say whether this is a user or an internal protocol. Free form text == death here. I'd like to propose the following:
date INFO service: Auth [successful|failed] for [identify] using [protocol=protocolName|user=username]
IIRC, we support user remapping, so identifying which identity is being used for which user would be helpful here.