When you can log bad usernames for failed authentications
I've said before that when you log failed authentications you should omit the login name if it's a nonexistent user; otherwise, sooner or later you will log someone's password. But sometimes this is inconvenient and you'd really like to log at least some nonexistent usernames; for example, you might want to find out which usernames attackers are probing.
The simple answer is that you can log nonexistent usernames when you know that they're not passwords. Of course, the devil is in the details, specifically on how you know this.
The straightforward way is to have a list of popular or interesting
nonexistent usernames, for example standard or common logins that
you've removed from your system (or never had in the first place). You
probably don't have a
guest account but you might want to know how
often people try it.
The more advanced way is to have your software know something about your policies on strong passwords. If a nonexistent username fails your password strength tests, it pretty much can't possibly be a valid password for any of your accounts and you're free to log it. You don't have to implement all of your password checks, and in fact I suspect that in most environments you'd get the largest benefit from a few very basic and simple ones, most especially a 'no all lower case' rule if you have it (since most usernames are all lower case).
Web apps that use email addresses as the user identifier can apply similar basic heuristics. If you have a decent validation system for 'is this an email address', I think it's very unlikely that you have a user's password.
(Of course if failed authentications are not actionable logs then the only reason to do any of this is for your vague interest and there's no point in working particularly hard at it.)