/var/log/auth.log is getting littered
On my server my /var/log/auth.log was filled with lines like this

PAM unable to dlopen(/lib/security/pam_smbpass.so)
PAM [error: /lib/security/pam_smbpass.so: cannot open shared object file: No such file or directory]

PAM adding faulty module: /lib/security/pam_smbpass.so
which made it almost impossible to see real data, like brute force attacks and such.

I found a bug report: error in auth.log when switch user — pam_smbpass.so and the solution turned out to be:
You can work around this, by commenting out the pam_smbpass.so related lines in /etc/pam.d/common-auth and /etc/pam.d/common-password.