[DOCS] Clarify scope of xpack.security.audit.index.settings

[kostasb]

Elasticsearch version v6.2

There have been reports from users who index audit logs to a remote cluster, that the index settings config option should be clarified that it only applies when used locally.

Users have been modifying this setting, expecting it to reflect to the remote cluster's index layout - which isn't the case. The remote index gets created with whatever is dictated by the templates or settings of the remote cluster.

 xpack.security.audit.index.settings

    Specifies settings for the indices that the events are stored in. For example, the following configuration sets the number of shards and replicas to 1 for the audit indices:

    xpack.security.audit.index.settings:
      index:
        number_of_shards: 1
        number_of_replicas: 1

https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html#index-audit-settings

Should a note be added that this setting applies locally only?

[elasticmachine]

Pinging @elastic/es-security

[albertzaharovits]

@kostasb I have raised #30923 .
However, the settings don't only apply locally. They apply when indexing to remote too, but only if X-Pack security is not installed there.

[kostasb]

Thank you for the docs PR and the clarification!