@sscarduzio for audit log rotation, I can think of 2 approach.
First one is where you give the frequency setting option upfront - which decides the frequency of index creation - daily, weekly, monthly, quarterly and a second setting that controls when to clean up the indexes.
Second option is continue with creating daily indexes, but give option to delete them after n days (I would suggest default to 15 days) and also give option to consolidate the indexes into weekly, monthly, quarterly. For people who are using ES purely for log analytics, storing historical security audit logs might not be a big requirement. So they might want regular clean up. But for those who are using ES for storing/searching some sensitive data, historical audit logs will still be a need. So instead of continuing with just daily indexes, its better to consolidate the indexes as part of the clean up process, which means whenever you delete the index, you also copy the data into one of the consolidated index.
I will look at updating the documentation in the coming week or two