Revert "Convert Filebeat system.auth to ECS (#9138)"

This reverts commit ab67b31.

CHANGELOG.asciidoc

@@ -131,7 +131,6 @@ https://github.com/elastic/beats/compare/v6.5.0...v7.0.0-alpha1[View commits]
 - IIS module's user agent string is no longer encoded (`+` replaced with spaces). {pull}9084[9084]
 - Rename many `haproxy.*` fields to map to ECS. {pull}9117[9117]
 - Rename many `nginx.access.*` fields to map to ECS. {pull}9081[9081]
-- Rename many `system.auth.*` fields to map to ECS. {pull}9138[9138]
 
 *Metricbeat*
 

dev-tools/ecs-migration.yml

@@ -105,56 +105,6 @@
   alias: true
   copy_to: false
 
-- from: system.auth.hostname
-  to: host.hostname
-  alias: true
-  copy_to: false
-
-- from: system.auth.pid
-  to: process.pid
-  alias: true
-  copy_to: false
-
-- from: system.auth.groupadd.gid
-  to: group.id
-  alias: true
-  copy_to: false
-
-- from: system.auth.useradd.uid
-  to: user.id
-  alias: true
-  copy_to: false
-
-- from: system.auth.useradd.user
-  to: user.name
-  alias: true
-  copy_to: false
-
-- from: system.auth.ssh.event
-  to: event.action
-  alias: true
-  copy_to: false
-
-- from: system.auth.program
-  to: process.name
-  alias: true
-  copy_to: false
-
-- from: system.auth.ssh.ip
-  to: source.ip
-  alias: true
-  copy_to: false
-
-- from: system.auth.ssh.port
-  to: source.port
-  alias: true
-  copy_to: false
-
-- from: system.auth.ssh.geoip.*
-  to: source.geo.*
-  alias: true
-  copy_to: false
-
 # From Auditbeat's auditd module.
 - from: source.hostname
   to: source.domain

filebeat/docs/fields.asciidoc

@@ -5850,30 +5850,6 @@ Module for parsing system log files.
 --
 type: keyword
 
---
-
-*`group.id`*::
-+
---
-type: keyword
-
-required: False
-
-ID of the group.
-
-
---
-
-*`group.name`*::
-+
---
-type: keyword
-
-required: False
-
-Name of the group.
-
-
 --
 
 [float]
@@ -5890,48 +5866,72 @@ Fields from the Linux authorization logs.
 
 
 
-*`@timestamp`*::
+*`system.auth.timestamp`*::
 +
 --
-type: alias
+The timestamp as read from the auth message.
+
 
 --
 
-*`host.hostname`*::
+*`system.auth.hostname`*::
 +
 --
-type: alias
+The hostname as read from the auth message.
+
 
 --
 
-*`process.name`*::
+*`system.auth.program`*::
 +
 --
-type: alias
+The process name as read from the auth message.
+
 
 --
 
-*`process.pid`*::
+*`system.auth.pid`*::
 +
 --
-type: alias
+type: long
+
+The PID of the process that sent the auth message.
+
 
 --
 
-*`message`*::
+*`system.auth.message`*::
 +
 --
-type: alias
+type: text
+
+The message in the log line.
+
 
 --
 
-*`user.name`*::
+*`system.auth.user`*::
 +
 --
-type: alias
+The Unix user that this event refers to.
+
 
 --
 
+[float]
+== ssh fields
+
+Fields specific to SSH login events.
+
+
+
+*`system.auth.ssh.event`*::
++
+--
+The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
+
+
+--
 
 *`system.auth.ssh.method`*::
 +
@@ -5941,10 +5941,12 @@ The SSH authentication method. Can be one of "password" or "publickey".
 
 --
 
-*`system.auth.ssh.signature`*::
+*`system.auth.ssh.ip`*::
 +
 --
-The signature of the client public key.
+type: ip
+
+The client IP from where the login attempt was made.
 
 
 --
@@ -5959,67 +5961,88 @@ The client IP from SSH connections that are open and immediately dropped.
 
 --
 
-*`event.action`*::
+*`system.auth.ssh.port`*::
 +
 --
-type: alias
+type: long
 
---
+The client port from where the login attempt was made.
 
-*`source.ip`*::
-+
---
-type: alias
 
 --
 
-*`source.port`*::
+*`system.auth.ssh.signature`*::
 +
 --
-type: alias
+The signature of the client public key.
+
 
 --
 
+[float]
+== geoip fields
 
-*`source.geo.continent_name`*::
+Contains GeoIP information gathered based on the `system.auth.ip` field. Only present if the GeoIP Elasticsearch plugin is available and used.
+
+
+
+*`system.auth.ssh.geoip.continent_name`*::
 +
 --
-type: alias
+type: keyword
+
+The name of the continent.
+
 
 --
 
-*`source.geo.country_iso_code`*::
+*`system.auth.ssh.geoip.city_name`*::
 +
 --
-type: alias
+type: keyword
+
+The name of the city.
+
 
 --
 
-*`source.geo.location`*::
+*`system.auth.ssh.geoip.region_name`*::
 +
 --
-type: alias
+type: keyword
+
+The name of the region.
+
 
 --
 
-*`source.geo.region_name`*::
+*`system.auth.ssh.geoip.country_iso_code`*::
 +
 --
-type: alias
+type: keyword
+
+Country ISO code.
+
 
 --
 
-*`source.geo.city_name`*::
+*`system.auth.ssh.geoip.location`*::
 +
 --
-type: alias
+type: geo_point
+
+The longitude and latitude.
+
 
 --
 
-*`source.geo.region_iso_code`*::
+*`system.auth.ssh.geoip.region_iso_code`*::
 +
 --
-type: alias
+type: keyword
+
+Region ISO code.
+
 
 --
 
@@ -6081,38 +6104,43 @@ Fields specific to events created by the `useradd` command.
 
 
 
-*`system.auth.useradd.home`*::
+*`system.auth.useradd.name`*::
 +
 --
-The home folder for the new user.
+The user name being added.
+
 
 --
 
-*`system.auth.useradd.shell`*::
+*`system.auth.useradd.uid`*::
 +
 --
-The default shell for the new user.
+type: long
+
+The user ID.
 
 --
 
-*`user.name`*::
+*`system.auth.useradd.gid`*::
 +
 --
-type: alias
+type: long
+
+The group ID.
 
 --
 
-*`user.id`*::
+*`system.auth.useradd.home`*::
 +
 --
-type: alias
+The home folder for the new user.
 
 --
 
-*`group.id`*::
+*`system.auth.useradd.shell`*::
 +
 --
-type: alias
+The default shell for the new user.
 
 --
 
@@ -6123,17 +6151,21 @@ Fields specific to events created by the `groupadd` command.
 
 
 
-*`group.name`*::
+*`system.auth.groupadd.name`*::
 +
 --
-type: alias
+The name of the new group.
+
 
 --
 
-*`group.id`*::
+*`system.auth.groupadd.gid`*::
 +
 --
-type: alias
+type: long
+
+The ID of the new group.
+
 
 --