yeah sounds good.
I want to suggest some extensions for that, what could be discussed:
- make a configurable option of how many failed login-attempts could be done "unlogged", so eg only after 3 failed logins within 10 minutes the fourth logs the attempt. otherwise the log-session gets dropped. (internally it stil llogs, but externally the user doesnt get annoyed)
- alternatively send an email if email-functionality is on.