Is it legal to log passwords from failed logins?

I don’t think that “legal” is the right term to use.

It’s not wise, a lot of times “right” password is only one letter different from the “wrong” password (typo/capital letters/…). So if somebody evil will get this log he may easily guess the correct password.

Other problem is that people re-use passwords, so they use same password for your site/gmail/facebook/bank. So even if your site doesn’t have sensitive information about users, it’s very possible that getting user’s credentials from your site will let hacker access other user’s accounts (email/CC/bank). And you don’t want to be a source of something like that.

As mentioned, it is perfectly legal in many jurisdictions, as the owner of the machine can do what they want with this data (it doesn't count as personal data under most data protection statutes)

But it raises a risk - that the viewer of those logs could build up a good idea of people's passwords, which removes the auditability of actions (they could log in as the individual whose password has been logged) so it would be a very bad idea, and in regulated industries would raise a problem!

Very bad idea indeed. People sometimes enter the password for another site. If that were logged it would be valuable information for anyone you can access the log. One can often guess from a small number of sites for which of these the password is correct.