I ended using the log command to stream the messages to a file, and then use an external program (remote_syslog2) to stream the file contents to the remote syslog server.
To write log messages to a file /var/log/sshd.log, I created a file /Library/LaunchDaemons/log-streamer-sshd.plist with the contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>log-streamer-sshd</string>
<key>ProgramArguments</key>
<array>
<string>/bin/sh</string>
<string>-c</string>
<string>/usr/bin/log stream --info --style compact --predicate '(sender == "sshd")'</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>ServiceDescription</key>
<string>Start sshd log stream</string>
<key>ExitTimeOut</key>
<integer>1</integer>
<key>StandardOutPath</key>
<string>/var/log/sshd.log</string>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
On boot, the LaunchDaemon runs the log command, selecting only messages sent by sshd. Its output is written to /var/log/sshd.log.
The results of my research into this follow.
Apple has reinvented the syslog wheel twice. In the beginning, OS X used syslog the same way as most Unix/Linux systems. Log messages are classified by facility and severity, and syslog.conf can be configured to write to log files and remote syslog servers.
Later, Apple introduced Apple System Log (ASL). ASL allowed more fine-tuned behavior such as separating log messages by metadata e.g. process ID, and complex rules via predicates. ASL also integrates logrotate functionality.
Starting in macOS 10.2 Sierra, the final form of logging became Unified Logging (UL). UL stores logs on disk in a proprietary and undocumented compressed binary format, effectively a database. Many log messages may not even be written to disk, but just held temporarily in memory. UL features include permission controls on access to log messages, controlling what users or groups can see which messages. It can also control the display or saving of messages for privacy. Subject to developer overrides, string replacements, arrays, and objects in log messages are considered to have private data, while integer replacements and static strings are assumed to not have private data.
The only ways to read UL logs are to use the Console GUI app and the log command-line tool. Some developers have created apps to help query UL, but those are just front-ends to the log command. Apple has not provided any APIs to programmatically get log messages, only to write log messages. Logs can be exported to a different system via sysdiagnose, but again can only be read on another Mac with Console or the log command.
At least in Mojave, most system logs are either sent directly to UL or redirected from syslog and ASL to UL. I could only find the sshd messages I wanted in UL.
Another possibility may have been to run sshd with the -E flag. That would involve editing the ssh.plist file in LaunchDaemons, but can only be done by disabling System Integrity Protection. I decided that was less than ideal and would introduce brittleness (what happens when the OS gets upgraded?).
Links for additional info:
