[libbeat] RFC 3164 process ID parsing issues

[taylor-swanson]

If an RFC 3164 syslog event includes square brackets in the message portion of the event, the process ID will be set to everything from the first square bracket, just before the process ID, and everything to the last square bracket in the message.

For example:

<114>Apr 12 13:30:01 aaaaaa001.adm.domain aaaaaa001[25259]: my.some.domain 10.11.12.13 - USERNAME [12/Apr/2024:13:29:59.993 +0200] /skodas "GET /skodas/group/pod-documentation/aaa HTTP/1.1" 301 301 290bytes 1 10327
                                                   ^ - From here to -------------------------------------------------------here -^

Resulting process ID:

25259]: my.some.domain 10.11.12.13 - USERNAME [12/Apr/2024:13:29:59.993 +0200

This is caused by the pattern for the process ID being too relaxed, allowing all printable characters (including closing square brackets). While the parser ensures the value of the process ID must be contained between a pair of square brackets, it does not care how many square brackets are in between. The solution is to lock down the pattern to a more acceptable range of characters. Since this is a process ID, digits would be the best option.

[elasticmachine]

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)