By default Rails 4.x does not show forbidden attributes in production in log or in the exception itself:

http://api.rubyonrails.org/classes/ActionController/Parameters.html

I see no reason not to log it, possible attacker needs access to logs in order to find which attribute was denied.

This makes debugging much harder.