...only true of course if you forget that user != user agent.

Just because jschmoe seems to get his password wrong 95% of the time doesn't mean that I don't find the 9500 times he flubbed a sudo command valuable signal that something may be up. Especially if he can only recall ever using sudo himself once in a blue moon.

There is the user in the context of the system, then there is the ultimate person interfacing with and feeding the system input and output.

Hell, sudo itself is the perfect illustration of why an operator would want such a log.

Sorry, I miswrote. The actual issue is not that the user hasn't typed a password right, but that the user is not in the sudoers file and trying to run a sudo command.

Doing that just once is reported with an e-mail to root. (Would you believe it?) People have been complaining about this for years. It's a pretty poor feature.

If the intent is to remind root that some users are missing sudo access who ought ot have sudo access, the phrasing is all wrong: "this incident will be reported" is disciplinary language, like the user has done something wrong.

Likely they are just copying and pasting something from a web search (or got from an AI chat, nowadays).

The entirely separate su program generates no e-mails from people guessing the password wrong. You can grep your auth.log for that, if you care.

I just tried su with one bad password attempt on a Debian box. The program quit immediately and logged this:

  Apr 30 2023 15:37:21 localhost su[22401]: FAILED su for root by kaz
  Apr 30 2023 15:37:21 localhost su[22401]: - /dev/pts/6 kaz:root

that is the real message to root: the log. Don't bug people with e-mails.

The correct requirement of a failed sudo would be to emit a message conveying this meaning: "Sudo didn't execute your command because your account is not listed in the sudoers file. If you think you should be, contact your administrator." It should not be contacting the administrator for you.