Yes, definitely an audit log storing the IP. One additional thing I do is when someone logs in and it is a new IP (one they haven’t logged in at before) it emails the administrator telling them someone has logged in at a new location. It help keep track of when staff are logging in out of hours at home.
The VMS approach was to have the delay be random (within bounds) and the triggering threshold random, within small bounds. I think you could also set it so the delay increased exponentially with more failed attempts. I’m remembering settings from 30 years ago here - Digital’s VAX/VMS was the leading mini/mainframe operating system when it came to security and management features back then.
It’s where most of the security in Windows NT and later came from.
This can be really tricky but I personally think it all depends on conversion, meaning to say if you strongly believe that those logs/records would be beneficial to your product stats then I would say go for it.
I have something similar but for deleted item, I need to understand why certain items are being deleted, when and possibly how many during a certain period of time.