Logging Failed Login Attempts of Non-Existing Accounts: Should You Do It?
In terms of application layer authentication, it is common to track failed login attempts to existing user accounts. However, I have not seen anyone tracking failed login attempts of non-existing user accounts (meaning those that cannot be identified using public identifier, e.g. email).
You are looking at different types of attacks. Logging failed attempts for known users is an attack against a specific user. By definition, a failed login attempt against a non-existent user will always fail since there is no password to match. This could show attempts to enumerate users or it may show attempts to profile an application.
From some of your follows ups above, it seems you want to log each entry but are concerned that the logs could lead to security concerns. For example, if a real users mistypes their id, and puts in the real password, this could lead to targeted attempts using variations of the username (attempting to use the incorrect username to reach the real username) with the typed password or variations.
I would recommend logging the IP and usernames to perform heuristics and to create blocking rules (stop brute forcing from an IP by blocking the IP for some period of time or requiring a CAPTCHA, etc.). Usernames combined with passwords may be helpful in identifying the methodology of the attacker (e.g., they think you are using application backend A which has default username X and default password Y). However, generally, you want to take action to block the attack and identify the source. There is greater risk in recording the passwords, even if hashed, than the value you might get from analyzing these passwords or hashes, since knowing the passwords isn’t a good key to block future attacks, since any given password may be valid for another user.