10.8 Authentication Events log... (part 2)

I've decided to create another thread since the original one was marked as solved, and is quite old now.

Since a few OS X versions back it seems that security-related logs were moved to ASL. That's great, there's syslog program and an API to query the logs and all. However, loginwindow (and it may not be the only service) doesn't log failed login attempts anymore. What I see is a bunch of low-level debugging messages. Here's an example failed login attempt:

[Level 7] [Time 1444312378] [TimeNanoSec 363305000] [Message in pam_sm_authenticate(): Got user: mikedld] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 363372000] [Message in pam_sm_authenticate(): Got ruser: mikedld] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 363425000] [Message in pam_sm_authenticate(): Got service: screensaver] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 365004000] [Message in od_principal_for_user(): No authentication authority returned] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 365084000] [Message in od_principal_for_user(): failed: 7] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 365149000] [Message in pam_sm_authenticate(): Failed to determine Kerberos principal name.] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 365205000] [Message in pam_sm_authenticate(): Done cleanup3] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 365246000] [Message in pam_sm_authenticate(): Kerberos 5 refuses you] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

[Level 7] [Time 1444312378] [TimeNanoSec 463066000] [Message in pam_sm_authenticate(): OpenDirectory - The authtok is incorrect.] [Host Mikes-iMac.local] [PID 90] [UID 501] [GID 20] [Sender loginwindow] [Facility authpriv] [SenderMachUUID 66748489-BF5B-3A2B-8A19-2711537A4BCB] [ReadGID 80] [ReadUID 0]

And that's it... All messages are level 7, so not even a single notice, warning or error. Moreover, this info isn't even written to ASL or any other log with default logging settings. This makes it difficult to detect failed login attempts.

Is there any way to get errors from loginwindow now? A ready-made program, an API, something... I see people suggesting to rely on "The authtok is incorrect" message, but someone I don't feel that confident in it.