Convert the Filebeat auditd module to ECS (#10192)

This implementation is based on a discussion that happened in issue #10111, and implements Christoph's proposal on how to represent privilege escalation. He also implemented it for the Auditbeat Auditd module.

Note that very few of the migrated fields used to be documented.

- Define these new fields only for Filebeat. They're not in ECS, but may eventually get in there, as nestings of the `user` field set:
  - user.terminal
  - user.audit.group.id
  - user.audit.id
  - user.effective.group.id
  - user.effective.id
  - user.filesystem.group.id
  - user.filesystem.id
  - user.owner.group.id
  - user.owner.id
  - user.saved.group.id
  - user.saved.id
- Migrate the following fields to ECS, and alias the old fields to the new one
  - auditd.log.acct => user.name
  - auditd.log.agid => user.audit.group.id
  - auditd.log.arch => host.architecture
  - auditd.log.auid => user.audit.id
  - auditd.log.cmd => process.args (went from cmdline to args array, so no alias)
  - auditd.log.comm => process.name
  - auditd.log.dst => destination.address
  - auditd.log.egid => user.effective.group.id
  - auditd.log.euid => user.effective.id
  - auditd.log.exe => process.executable
  - auditd.log.fsgid => user.filesystem.group.id
  - auditd.log.fsuid => user.filesystem.id
  - auditd.log.geoip => source.geo.*
  - auditd.log.gid => user.group.id
  - auditd.log.msg => message
  - auditd.log.ogid => user.owner.group.id
  - auditd.log.ouid => user.owner.id
  - auditd.log.pid => process.pid (long)
  - auditd.log.ppid => process.ppid (long)
  - auditd.log.record_type => event.action (lowercased)
  - auditd.log.res => event.outcome
  - auditd.log.rport => source.port
  - auditd.log.sgid => user.saved.group.id
  - auditd.log.src => source.address
  - auditd.log.suid => user.saved.id
  - auditd.log.terminal => user.terminal
  - auditd.log.tty => user.terminal
  - auditd.log.uid => user.id
- Auditd custom fields not migrated, but that are now explicitly documented in the index template:
  - auditd.log.addr
  - auditd.log.laddr
  - auditd.log.lport
  - auditd.log.tty
  - auditd.log.rport
- Add more log samples & expected to the integration tests

CHANGELOG.next.asciidoc

@@ -46,6 +46,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Rename a few `mongodb.*` fields to map to ECS. {pull}10009[10009]
 - Rename a few `mysql.*` fields to map to ECS. {pull}10008[10008]
 - Rename a few `nginx.error.*` fields to map to ECS. {pull}10007[10007]
+- Rename many `auditd.log.*` fields to map to ECS. {pull}10192[10192]
 - Filesets with multiple ingest pipelines added in {pull}8914[8914] only work with Elasticsearch >= 6.5.0 {pull}10001[10001]
 - Remove service.name from Elastcsearch module. Replace by service.type. {pull}10042[10042]
 - Remove numeric coercions for `user.id` and `group.id`. IDs should be `keyword`. {pull}10233[10233]
@@ -180,6 +181,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add alias field support in Kibana index pattern. {pull}10075[10075]
 - Add `add_fields` processor. {pull}10119[10119]
 - Add Kibana field formatter to bytes fields. {pull}10184[10184]
+- Document a few more `auditd.log.*` fields. {pull}10192[10192]
 
 *Auditbeat*
 

dev-tools/ecs-migration.yml

@@ -129,6 +129,159 @@
 
 # Filebeat modules
 
+# Auditd module
+
+- from: auditd.log.acct
+  to: user.name
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.pid
+  to: process.pid
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.ppid
+  to: process.ppid
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.res
+  to: event.outcome
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.record_type
+  to: event.action
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.arch
+  to: host.architecture
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.gid
+  to: user.group.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.uid
+  to: user.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.agid
+  to: user.audit.group.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.auid
+  to: user.audit.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.fsgid
+  to: user.filesystem.group.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.egid
+  to: user.effective.group.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.euid
+  to: user.effective.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.sgid
+  to: user.saved.group.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.suid
+  to: user.saved.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.ogid
+  to: user.owner.group.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.ouid
+  to: user.owner.id
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.terminal
+  to: user.terminal
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.comm
+  to: process.name
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.cmd
+  to: process.args
+  alias: false
+  beat: filebeat
+  comment: Was a cmdline string, whereas args is an array of keywords.
+
+- from: auditd.log.exe
+  to: process.executable
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.msg
+  to: message
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.src
+  to: source.address
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.dst
+  to: destination.address
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.geoip.continent_name
+  to: source.geo.continent_name
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.geoip.country_iso_code
+  to: source.geo.country_iso_code
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.geoip.location
+  to: source.geo.location
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.geoip.region_name
+  to: source.geo.region_name
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.geoip.city_name
+  to: source.geo.city_name
+  alias: true
+  beat: filebeat
+
+- from: auditd.log.geoip.region_iso_code
+  to: source.geo.region_iso_code
+  alias: true
+  beat: filebeat
+
 # Suricata module
 
 - from: source_ecs.ip