diff --git a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
index ff87e79a2ea..93e88777347 100644
--- a/elasticsearch/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
+++ b/elasticsearch/src/main/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrail.java
@@ -445,7 +445,8 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
         if (events.contains(REALM_AUTHENTICATION_FAILED)) {
             if (XPackUser.is(token.principal()) == false) {
                 try {
-                    enqueue(message("authentication_failed", action, token, realm, indices(message), message), "authentication_failed");
+                    enqueue(message("realm_authentication_failed", action, token, realm, indices(message), message),
+                            "realm_authentication_failed");
                 } catch (Exception e) {
                     logger.warn("failed to index audit event: [authentication_failed]", e);
                 }
@@ -458,7 +459,7 @@ public class IndexAuditTrail extends AbstractComponent implements AuditTrail, Cl
         if (events.contains(REALM_AUTHENTICATION_FAILED)) {
             if (XPackUser.is(token.principal()) == false) {
                 try {
-                    enqueue(message("authentication_failed", null, token, realm, null, request), "authentication_failed");
+                    enqueue(message("realm_authentication_failed", null, token, realm, null, request), "realm_authentication_failed");
                 } catch (Exception e) {
                     logger.warn("failed to index audit event: [authentication_failed]", e);
                 }
diff --git a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
index 5b63d5d9892..cf8d58d01aa 100644
--- a/elasticsearch/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
+++ b/elasticsearch/src/test/java/org/elasticsearch/xpack/security/audit/index/IndexAuditTrailTests.java
@@ -404,7 +404,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         auditor.authenticationFailed("_realm", new MockToken(), "_action", message);
         SearchHit hit = getIndexedAuditMessage(enqueuedMessage.get());
 
-        assertAuditMessage(hit, "transport", "authentication_failed");
+        assertAuditMessage(hit, "transport", "realm_authentication_failed");
         Map<String, Object> sourceMap = hit.sourceAsMap();
 
         if (message instanceof RemoteHostMockMessage) {
@@ -430,7 +430,7 @@ public class IndexAuditTrailTests extends SecurityIntegTestCase {
         auditor.authenticationFailed("_realm", new MockToken(), request);
         SearchHit hit = getIndexedAuditMessage(enqueuedMessage.get());
 
-        assertAuditMessage(hit, "rest", "authentication_failed");
+        assertAuditMessage(hit, "rest", "realm_authentication_failed");
         Map<String, Object> sourceMap = hit.sourceAsMap();
         assertThat("127.0.0.1", equalTo(sourceMap.get("origin_address")));
         assertThat("_uri", equalTo(sourceMap.get("uri")));