Chwala does not log failed login attempts to /var/log/chwala/userlogins, if the user name does exist. In constrast to that, a log entry is emitted, if the user name does not exist.
Reproducing is easy: Open the Chwala interface with a browser, enter an existing user name, but wrong password. Have a look into /var/log/chwala/userlogins.
That opens the door to brute force attacks when the user name is known.