Trace source of authentication failures from logs

I am seeing this log repeated twice a minute on one of my ES servers:

[2023-05-10T00:11:33,186][WARN ][o.e.x.s.a.RealmsAuthenticator] [secesprd02] Authentication to realm default_native failed - Password authentication failed for beat_setup

The problem is that there is no indication of where the authentication attempt originated from.

How can I tell which host is causing this?

I have used netstat to check who is connecting to the server but there is nothing unexpected. I have looked for repeated short session but there aren't any.

Russell

OK, I found the xpack.audit setting but that does not work since I am using the basic licence.