Cluster level log settings can inadvertently enable the deprecated *_access log

[n0othing]

Elasticsearch version: Version: 6.8.3, Build: default/tar/0c48c0e/2019-08-29T19:05:24.312154Z, JVM: 1.8.0_181

JVM version: Java HotSpot(TM) 64-Bit Server VM (build 25.181-b13, mixed mode)

OS version: 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64

Description of the problem including expected versus actual behavior:

Adjusting the _root logger level via a cluster setting API call can enable the deprecated *_access.log, even if logger.xpack_security_audit_deprecated_logfile.level = off if defined in the log4j2.properties file. It remains enabled even if you null out the cluster setting.

Steps to reproduce:

1. Enabled auditing in the elasticsearch.yml + disable the deprecated *_access.log in the log4j2.properties file.
2. Switch to debug logging via a cluster setting

PUT /_cluster/settings
{"transient":{"logger._root":"debug"}}

3. Observe the path.logs directory. The deprecated *_access.log is now being written to.

4. Clear your debug logging via a null

PUT /_cluster/settings
{"transient":{"logger._root":null}}

5. *_access.log will continue being written to until the node is restarted.

[elasticmachine]

Pinging @elastic/es-security