[DOCS] Clarifies recommendation for audit index output type (#31146)

Author: lcawl

x-pack/docs/en/security/auditing/event-types.asciidoc

@@ -1,5 +1,4 @@
 [role="xpack"]
-[float]
 [[audit-event-types]]
 === Audit event types
 

x-pack/docs/en/security/auditing/output-index.asciidoc

@@ -1,5 +1,4 @@
 [role="xpack"]
-[float]
 [[audit-index]]
 === Index audit output
 
@@ -36,3 +35,8 @@ xpack.security.audit.index.settings:
     number_of_shards: 1
     number_of_replicas: 1
 ----------------------------
+
+NOTE: Audit events are batched for indexing so there is a lag before
+events appear in the index. You can control how frequently batches of
+events are pushed to the index by setting
+`xpack.security.audit.index.flush_interval` in `elasticsearch.yml`.

x-pack/docs/en/security/auditing/output-logfile.asciidoc

@@ -1,5 +1,4 @@
 [role="xpack"]
-[float]
 [[audit-log-output]]
 === Logfile audit output
 

x-pack/docs/en/security/auditing/overview.asciidoc

@@ -29,12 +29,7 @@ indexing by setting `xpack.security.audit.outputs` in `elasticsearch.yml`:
 xpack.security.audit.outputs: [ index, logfile ]
 ----------------------------
 
-The `index` output type should be used in conjunction with the `logfile`
-output type Because it is possible for the `index` output type to lose
-messages if the target index is unavailable, the `access.log` should be
-used as the official record of events.
-
-NOTE: Audit events are batched for indexing so there is a lag before
-events appear in the index. You can control how frequently batches of
-events are pushed to the index by setting
-`xpack.security.audit.index.flush_interval` in `elasticsearch.yml`.
+TIP: If you choose to enable the `index` output type, we strongly recommend that 
+you still use the `logfile` output as the official record of events. If the 
+target index is unavailable (for example, during a rolling upgrade), the `index` 
+output can lose messages.