What really happened was I was struggling with my newer ES clusters, where the audit logs would begin but then completely die off. Investigating this I wanted to know why the older clusters were configured via elasticsearch.yml and the newer ones via Kibana. I think I have upgraded the older ones a couple times, so they probably started out from 1.9 or 1.10. So this is probably why.
i found a statement in the logs that if I re-run the security configuration it should add the audit type to the security index. Although I don’t like my clusters configured differently, this is probably not worth the risk. I doubt there is a way to make the newer clusters use the elasticsearch.yml config.
The real problem I was struggling with turned out to be that the newer clusters are gettting more traffic and the increase in the compliance logging wasn’t able to write fast enough to a single shard (the audit index defaults to 1 primary, 2 replicas). Turns out being overwhelmed it virtually stopped writing. I configured a template for the audit index, increasing the number of primaries, and this fixed the real problem.