Please see screen shot below. This is how my ROR data looks like where I am only running ROR ES without any ROR Kibana plugin. So I would get basic auth prompt in Chrome and entering invalid id/pwd combination does not log user id.
I am wondering if this is anywhere related to long standing Kibana issue where user auth header is not consistently passed. Its just a guess. In captured header, it says User not logged.
So I tried it on another server which has new version of ES and also has ROR Kibana plugin with basic auth prompt turned off. For failed attempts, its logging user id. In log, it will show user id with (attempted).
I also tried it from SOAP UI by passing incorrect password. Its logging the user id in this case as well similar to above case.
This may become a non issue once we start using ROR Kibana plugin in another 3-4 weeks. So I am okay with this not being addressed.
We were originally struggling with identifying failed login attempts by user. But eventually figured out that issue was due to user OU being different (see below issue). So even when user was part of AD group, they were unable to get past login prompt. But now with we rolling out the dashboard feature, we are getting more users from different OU and our ACL rules keep duplicating. So I would rather have you prioritize that issue over this user id issue 