diff --git a/CHANGELOG-7.md b/CHANGELOG-7.md
index 287d0d603d..dc2603ee94 100644
--- a/CHANGELOG-7.md
+++ b/CHANGELOG-7.md
@@ -6,7 +6,6 @@ and this project adheres to [Semantic
 Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-
 ### Breaking
 - Embedded etcd is no longer supported, all related configuration has been
 removed.
@@ -26,7 +25,9 @@ migrated from Etcd.
 - Added configuration store selector to sensu-backend.
 - Added postgresql state store.
 - GlobalResource interface in core/v3 allows core/v3 resources to
-be marked as global resources.
+  be marked as global resources.
+- The authentication module now logs successful (INFO) and unsuccessful (ERROR)
+  login attempts.
 
 ### Fixed
 - Fixed an issue where multi-expression exclusive "Deny" filters were not
diff --git a/backend/authentication/authenticator.go b/backend/authentication/authenticator.go
index 775c7c81c5..218f1048a4 100644
--- a/backend/authentication/authenticator.go
+++ b/backend/authentication/authenticator.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/sirupsen/logrus"
+
 	corev2 "github.com/sensu/sensu-go/api/core/v2"
 )
 
@@ -33,11 +35,20 @@ func (a *Authenticator) Authenticate(ctx context.Context, username, password str
 			continue
 		}
 
+		logger.WithFields(logrus.Fields{
+			"subject":         claims.Subject,
+			"groups":          claims.Groups,
+			"provider_id":     claims.Provider.ProviderID,
+			"provider_type":   claims.Provider.ProviderType,
+			"provider_userid": claims.Provider.UserID,
+		}).Info("login successful")
 		return claims, nil
 	}
 
 	// TODO(palourde): We might want to return a more meaningful and actionnable
 	// error message, but we don't want to leak sensitive information.
+
+	logger.WithField("username", username).Error("authentication failed")
 	return nil, errors.New("authentication failed")
 }