At the moment, broker closes the client connection if SASL authentication fails. Clients see this as a connection failure and do not get any feedback for the reason why the connection was closed. Producers and consumers retry, attempting to create successful connections, treating authentication failures as transient failures. There are no log entries on the client-side which indicate that any of these connection failures were due to authentication failure.
This JIRA will aim to improve diagnosis of authentication failures with the changes described in KIP-152.
This JIRA also does not change handling of SSL authentication failures. javax.net.debug provides sufficient diagnostics for this case. SSL changes are harder to do while preserving backward compatibility.