Yes, I know, but exposing this info via a log is not a security risk. If you have access to the log its not our problem.
Yepp. If the server aka logs/configs are not secured, than the setup/admin has some problems ...
At least my ideal world would have something like this in the server [auth.]log:
log.warn("auth failed. principal=" + princ + " host=" + clientIP);