I have a strange misconfiguration between our clusters. We have 5 ES clusters. 2 of them get their audit configuration from elasticsearch.yml. On these I can’t turn on audit logging from Kibana and the endpoint _opendistro/_security/api/audit is NOT IMPLEMENTED. The other 3 ignore audit settings elasticsearch.yml and get their configuration from index.
I actually want them to get their configuration from elasticsearch.yml.
Is there some way to disable the dynamic/hot audit configuration and use the config from elasticsearch.yml? Would it work if I somehow deleted the audit type from .opendistro_security?