diff --git a/docs/changelog/122247.yaml b/docs/changelog/122247.yaml
new file mode 100644
index 0000000000000..95c02a6f19fb3
--- /dev/null
+++ b/docs/changelog/122247.yaml
@@ -0,0 +1,5 @@
+pr: 122247
+summary: Improve jwt logging on failed auth
+area: Authentication
+type: bug
+issues: []
diff --git a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java
index 7613e7b3972af..bc157536434f4 100644
--- a/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java
+++ b/x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtRealm.java
@@ -263,12 +263,10 @@ public void authenticate(final AuthenticationToken authenticationToken, final Ac
                     + tokenPrincipal
                     + "] with header ["
                     + jwtAuthenticationToken.getSignedJWT().getHeader()
-                    + "] and claimSet ["
-                    + jwtAuthenticationToken.getJWTClaimsSet()
                     + "]";
 
                 if (logger.isTraceEnabled()) {
-                    logger.trace(msg, ex);
+                    logger.trace(msg + " and claimSet [" + jwtAuthenticationToken.getJWTClaimsSet() + "]", ex);
                 } else {
                     logger.debug(msg + " Cause: " + ex.getMessage()); // only log the stack trace at trace level
                 }