From e988ace5f75ac672667f37170634fd6b775e590a Mon Sep 17 00:00:00 2001
From: Albert Zaharovits <albert.zaharovits@gmail.com>
Date: Tue, 12 Jun 2018 16:19:43 +0300
Subject: [PATCH] [DOCS] Clarify audit index settings when remote indexing
 (#30923)

---
 docs/reference/settings/audit-settings.asciidoc        | 9 +++++++++
 x-pack/docs/en/security/auditing/output-index.asciidoc | 7 +++++++
 2 files changed, 16 insertions(+)

diff --git a/docs/reference/settings/audit-settings.asciidoc b/docs/reference/settings/audit-settings.asciidoc
index 5995c65a01c9f..524198df58c47 100644
--- a/docs/reference/settings/audit-settings.asciidoc
+++ b/docs/reference/settings/audit-settings.asciidoc
@@ -112,6 +112,15 @@ xpack.security.audit.index.settings:
     number_of_replicas: 1
 ----------------------------
 --
++
+--
+NOTE: These settings apply to the local audit indices, as well as to the
+<<remote-audit-settings, remote audit indices>>, but only if the remote cluster
+does *not* have {security} installed, or the {es} versions are different.
+If the remote cluster has {security} installed, and the versions coincide, the
+settings for the audit indices there will take precedence,
+even if they are unspecified (i.e. left to defaults).
+--
 
 [[remote-audit-settings]]
 ==== Remote Audit Log Indexing Configuration Settings
diff --git a/x-pack/docs/en/security/auditing/output-index.asciidoc b/x-pack/docs/en/security/auditing/output-index.asciidoc
index a07bd7a8d06eb..1c59762ea2a98 100644
--- a/x-pack/docs/en/security/auditing/output-index.asciidoc
+++ b/x-pack/docs/en/security/auditing/output-index.asciidoc
@@ -36,6 +36,13 @@ xpack.security.audit.index.settings:
     number_of_replicas: 1
 ----------------------------
 
+These settings apply to the local audit indices, as well as to the
+<<forwarding-audit-logfiles, remote audit indices>>, but only if the remote cluster
+does *not* have {security} installed, or the {es} versions are different.
+If the remote cluster has {security} installed, and the versions coincide, the
+settings for the audit indices there will take precedence,
+even if they are unspecified (i.e. left to defaults).
+
 NOTE: Audit events are batched for indexing so there is a lag before
 events appear in the index. You can control how frequently batches of
 events are pushed to the index by setting