I find out that the problem is the filter.
"query" : {"match" : {"message": "*Too many authentication failures*"}},
This is'nt finding the literal string with wildcards, is finding any word in the string... Match for authentication, or failures, or many.... However, in the kibana that search work fine...