I have x-pack security audit enabled with file and index output. After I set up TLS for inter-node, Kibana and Filebeat communications, security_audit_log* indexes started being filled by hundreds of authentication_failed events for different users (personal accounts of Kibana users, filebeat's etc), whereas ES *_access.log files show only rare real failed logins. There're no such failed authentications and even no events with the same timestamp in logfiles. And these simply don't look real - I definitely don't fail to login by my personal account 100s of times per minute.
All those indexed failed authentication events happen only on 1 of 3 nodes (not currently master) where Kibana is running and pointed to and filebeat is sending logs to. Failures occur only during periods of user activity - e.g. auth failures for my personal account during work hours and filebeat's all the time (live log stream). For personal accounts failures node address and origin address are the same (that one node producing this docs), for filebeat's - origin address is filebeat host's IP.
Realms config is default (so should be native+file).
Environment ES + Kibana + Filebeat, all V5.1 on RHEL7.
Has anyone experienced this?