User reports audit log exclude system_access_granted configuration not working

[masseyke]

This is a placeholder ticket until we gather more information. A user reports that with the following configuration:

PUT _cluster/settings
{ "transient": {
  "xpack.security.audit.logfile.events.emit_request_body": "true",
  "xpack.security.audit.logfile.events.exclude": [ "system_access_granted" ]
}}

They still get audit logs like:

{
    "type": "audit",
    "timestamp": "2025-02-10T14:34:27,830+0000",
    "cluster.uuid": "<cluster_uuid>",
    "node.id": "<node_id>",
    "event.type": "transport",
    "event.action": "access_granted",
    "authentication.type": "INTERNAL",
    "user.name": "_system",
    "user.realm": "__attach",
    "user.roles": [
        "_system"
    ],
    "origin.type": "local_node",
    "origin.address": "<ip_address>:19929",
    "request.id": "<request_id>",
    "action": "indices:admin/seq_no/retention_lease_background_sync[p]",
    "request.name": "Request",
    "indices": [
        "partial-restored-.ds-logs-aws.default-2023.12.03-000548"
    ]
}

[elasticsearchmachine]

Pinging @elastic/es-security (Team:Security)