Support

Whether a request is blocked is controlled entirely by the Configure WAF options, of course. If a request is blocked, it might be logged in the database, and/or you might receive an email about it.

Whether a blocked request results in a database log line is controlled by the “Do not log these reasons” option. By default this is empty, meaning that all blocked requests are logged.

Whether a blocked request results in an email being sent is controlled by the “Do not send email notifications for these reasons” and whether there is anything in “Email this address on blocked request”. Moreover, it depends on the component's Options where you can find options for throttling emails.

With that in mind, it's likely that the “Do not log these reasons” tells Admin Tools not to log something, or your database's #__admintools_logs table has crashed, or you are looking at the wrong site. About the latter, if you have transferred your site between hosts it is possible that the old site is not deleted, and somehow traffic does get routed to it (there are several DNS and web server misconfigurations which can do that). This could end up in the “wrong” site being attacked, and you receiving email about it. The BEST way to check if this is the case is to correlate your emails with your web server logs. Do you see the requests to the Target URL at a time around the one reported in the email, and from the IP reported in the email? If yes, the email came from the “right” site. If not, the email came from the “wrong” site.

To try, I have disconnect from the backend and try to connect with a wrong user and password to see if this is logged, and this is not (it should be no ?).

That's an oversimplification. What happens depends entirely on your configuration.

Your failed login with a username and password will be logged if all of the following conditions are simultaneously true:

1. No other hosting-, server-, or application-level code is blocking your request such as but not limited to a CDN in front of your site, a third party or host-provided security application in front of your site, an Operating System-level firewall such as ipfilters, web server configuration, and third party Joomla! plugins.
2. Your IP or request is not blocked immediately by any other feature such as but not limited to Administrator Exclusive Allow IP List, Site IP Disallow List, or any other Web Application Firewall issue.
3. There is no entry in WAF Exceptions which could possibly override this check (at the time of the writing this cannot be the case for login checks, so you're safe).
4. “Treat failed logins as a reason for blocking the request” is set to Yes.
5. “Log blocked requests” is set to Yes.
6. “Do not log these reasons” does NOT contain Login Failure.
7. If “Allow administrator access only to IPs in Exclusive Allow IP List” is set to Yes: your IP address does NOT match any of the IP expressions in the Administrator Exclusive Allow IP List.
8. Your IP address does NOT match any of the IP expressions in “Never block these IPs”.
9. Your IP address does NOT match any of the IP expressions in “Site IP Allow List”.
10. The hostname your IP address resolves to does NOT match any of the expressions in “Never blocked domains”.

An email will be sent if all of the above conditions are met along with all of the following conditions:

1. “Email this address on blocked request” contains an email address which can reliably receive email.
2. Email sending has been configured correctly and enabled in your site's Global Configuration and tested to be working.
3. The System, Mail Templates page contains a valid template for the “Admin Tools: Blocked request” template in either your language or the default fallback language of  your site (usually en-GB).
4. The settings in the component's Options page, Email Sending tab do not apply a throttling for emails (“Blocked request email throttling” is Off), or the throttling threshold has not been reached.

From your reply I do not understand if you see a logged blocked request, and if you do if it has logged your real IP address. As a result, I cannot help you any further.