Hi @aaronlbk
Something does not make sense you have an empty elasticsearch.yml yet you have authentication enabled ... that is not normal / highly unusual (basically not sure how that is even possible)
Are you sure that is the elasticsearch.yml that is being used?
How did you install elasticsearch? is this an upgrade from 7.x?
Normally you would turn on Audit logging but that requires a License.
Something is definitely attempting to authenticate...
You might be able to see which process by using something like the following since it looks like elasticsearch is only bound to localhost/127.0.0.1
lsof -nPi tcp:9200
Example on my localhost in this case I can see filebeat
is connecting, you might need to run it more than once.
$ lsof -nPi tcp:9200
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 3424 sbrown 14u IPv4 0x62479b09038ccbd9 0t0 TCP 127.0.0.1:64616->127.0.0.1:9200 (ESTABLISHED)
com.docke 28413 sbrown 169u IPv6 0x62479b0904e04771 0t0 TCP *:9200 (LISTEN)
com.docke 28413 sbrown 231u IPv6 0x62479b0901835771 0t0 TCP 127.0.0.1:9200->127.0.0.1:64616 (ESTABLISHED)