Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]

Hi @aaronlbk

Something does not make sense you have an empty elasticsearch.yml yet you have authentication enabled ... that is not normal / highly unusual (basically not sure how that is even possible)

Are you sure that is the elasticsearch.yml that is being used?

How did you install elasticsearch? is this an upgrade from 7.x?

Normally you would turn on Audit logging but that requires a License.

Something is definitely attempting to authenticate...

You might be able to see which process by using something like the following since it looks like elasticsearch is only bound to localhost/127.0.0.1

lsof -nPi tcp:9200

Example on my localhost in this case I can see filebeat is connecting, you might need to run it more than once.

$ lsof -nPi tcp:9200
COMMAND     PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
filebeat   3424 sbrown   14u  IPv4 0x62479b09038ccbd9      0t0  TCP 127.0.0.1:64616->127.0.0.1:9200 (ESTABLISHED)
com.docke 28413 sbrown  169u  IPv6 0x62479b0904e04771      0t0  TCP *:9200 (LISTEN)
com.docke 28413 sbrown  231u  IPv6 0x62479b0901835771      0t0  TCP 127.0.0.1:9200->127.0.0.1:64616 (ESTABLISHED)