[Filebeat][auditd] Fix event types and categories to comply with ECS

[marc-gr]

What does this PR do?

Sets correct event.category and event.type fields where incorrect event.type fields were set.

Why is it important?

The auditd module was using several event.type values that are not in ECS.

https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-type.html

Checklist

- [ ] My code follows the style guidelines of this project
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] I have made corresponding change to the default configuration files

• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

Closes #20411

[elasticmachine]

💔 Tests Failed

Expand to view the summary

Build stats

• Build Cause: [Pull request #20652 updated]

• Start Time: 2020-08-26T08:05:17.514+0000

• Duration: 52 min 26 sec

Test stats 🧪

Test	Results
Failed	1
Passed	5564
Skipped	822
Total	6387

Test errors

Expand to view the tests failures

• Name: Build and Test / Filebeat oss / test_default_settings – filebeat.tests.system.test_autodiscover.TestAutodiscover

  • Age: 10
  • Duration: 90.003
  • Error Details: Failed: Timeout >90.0s

Steps errors

Expand to view the steps failures

• Name: Mage build test

  • Description: mage build test

  • Duration: 26 min 34 sec

  • Start Time: 2020-08-26T08:30:24.110+0000

  • log

Log output

Expand to view the last 100 lines of log output

[2020-08-26T08:56:20.825Z]  Built:             Mon Jun 22 15:45:36 2020
[2020-08-26T08:56:20.825Z]  OS/Arch:           linux/amd64
[2020-08-26T08:56:20.825Z]  Experimental:      false
[2020-08-26T08:56:20.825Z] 
[2020-08-26T08:56:20.825Z] Server: Docker Engine - Community
[2020-08-26T08:56:20.825Z]  Engine:
[2020-08-26T08:56:20.825Z]   Version:          19.03.12
[2020-08-26T08:56:20.825Z]   API version:      1.40 (minimum version 1.12)
[2020-08-26T08:56:20.825Z]   Go version:       go1.13.10
[2020-08-26T08:56:20.825Z]   Git commit:       48a66213fe
[2020-08-26T08:56:20.825Z]   Built:            Mon Jun 22 15:44:07 2020
[2020-08-26T08:56:20.825Z]   OS/Arch:          linux/amd64
[2020-08-26T08:56:20.825Z]   Experimental:     false
[2020-08-26T08:56:20.825Z]  containerd:
[2020-08-26T08:56:20.825Z]   Version:          1.2.13
[2020-08-26T08:56:20.825Z]   GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
[2020-08-26T08:56:20.825Z]  runc:
[2020-08-26T08:56:20.825Z]   Version:          1.0.0-rc10
[2020-08-26T08:56:20.825Z]   GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
[2020-08-26T08:56:20.825Z]  docker-init:
[2020-08-26T08:56:20.825Z]   Version:          0.18.0
[2020-08-26T08:56:20.825Z]   GitCommit:        fec3683
[2020-08-26T08:56:20.825Z] Unable to find image 'alpine:3.4' locally
[2020-08-26T08:56:21.401Z] 3.4: Pulling from library/alpine
[2020-08-26T08:56:21.402Z] c1e54eec4b57: Pulling fs layer
[2020-08-26T08:56:21.976Z] c1e54eec4b57: Verifying Checksum
[2020-08-26T08:56:21.977Z] c1e54eec4b57: Download complete
[2020-08-26T08:56:21.977Z] c1e54eec4b57: Pull complete
[2020-08-26T08:56:21.977Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2020-08-26T08:56:21.977Z] Status: Downloaded newer image for alpine:3.4
[2020-08-26T08:56:24.195Z] + python .ci/scripts/pre_archive_test.py
[2020-08-26T08:56:25.590Z] Copy ./x-pack/filebeat/build into build/x-pack/filebeat/build
[2020-08-26T08:56:25.602Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/build
[2020-08-26T08:56:25.626Z] Recording test results
[2020-08-26T08:56:27.376Z] Stashed 4 file(s)
[2020-08-26T08:56:27.387Z] Archiving artifacts
[2020-08-26T08:56:28.127Z] + python .ci/scripts/search_system_tests.py
[2020-08-26T08:56:28.145Z] [INFO] system-tests='build/x-pack/filebeat/build/system-tests'. If no empty then let's create a tarball
[2020-08-26T08:56:28.489Z] + tar --version
[2020-08-26T08:56:28.828Z] + tar --exclude=x-pack-filebeat--system-tests-linux.tgz -czf x-pack-filebeat--system-tests-linux.tgz build/x-pack/filebeat/build/system-tests
[2020-08-26T08:56:43.795Z] Archiving artifacts
[2020-08-26T08:57:01.339Z] [INFO] unstashV2: JOB_GCS_BUCKET is set. bucket param got precedency instead.
[2020-08-26T08:57:01.360Z] [INFO] unstashV2: JOB_GCS_CREDENTIALS is set. credentialsId param got precedency instead.
[2020-08-26T08:57:01.425Z] [Google Cloud Storage Plugin] Found 1 files to download from pattern: gs://beats-ci-temp/Beats/beats/PR-20652-9/source/source.tgz
[2020-08-26T08:57:01.452Z] [Google Cloud Storage Plugin] Downloading: Beats/beats/PR-20652-9/source/source.tgz to local path: /var/lib/jenkins/workspace/Beats_beats_PR-20652/source.tgz
[2020-08-26T08:57:10.265Z] + tar --version
[2020-08-26T08:57:10.565Z] + tar -xpf source.tgz
[2020-08-26T08:57:20.887Z] + rm source.tgz
[2020-08-26T08:57:20.900Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats
[2020-08-26T08:57:20.921Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Lint
[2020-08-26T08:57:21.024Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Filebeat-x-pack-Mac-OS-X
[2020-08-26T08:57:21.102Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Filebeat-Mac-OS-X
[2020-08-26T08:57:21.183Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Filebeat-x-pack-Windows
[2020-08-26T08:57:21.261Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Filebeat-Windows
[2020-08-26T08:57:21.339Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Filebeat-oss
[2020-08-26T08:57:21.419Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats/Filebeat-x-pack
[2020-08-26T08:57:21.820Z] + cat
[2020-08-26T08:57:21.820Z] + /usr/local/bin/runbld ./runbld-script --job-name elastic+beats+pull-request
[2020-08-26T08:57:21.820Z] Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
[2020-08-26T08:57:28.430Z] runbld>>> runbld started
[2020-08-26T08:57:28.430Z] runbld>>> 1.6.12/f45d832f2ba0aa2722ab4ec1fda8ad140f027f8b
[2020-08-26T08:57:29.820Z] runbld>>> The following profiles matched the job 'elastic+beats+pull-request' in order of occurrence in the config (last value wins).
[2020-08-26T08:57:30.082Z] runbld>>> Matches in the system config:
[2020-08-26T08:57:30.082Z] runbld>>> - Matched ^elastic\+beats
[2020-08-26T08:57:30.082Z] runbld>>> - Matched ^elastic\+beats\+pull-request
[2020-08-26T08:57:31.469Z] runbld>>> Debug logging enabled.
[2020-08-26T08:57:31.469Z] runbld>>> Storing result
[2020-08-26T08:57:31.469Z] runbld>>> Store result: created {:total 2, :successful 2, :failed 0} 1
[2020-08-26T08:57:31.469Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200826085731-0348D770
[2020-08-26T08:57:31.469Z] runbld>>> Adding system facts.
[2020-08-26T08:57:32.413Z] runbld>>> Adding vcs info for the latest commit:  8bca15f6667b2c6302ff07bd59563663f5f36cee
[2020-08-26T08:57:32.413Z] runbld>>> >>>>>>>>>>>> SCRIPT EXECUTION BEGIN >>>>>>>>>>>>
[2020-08-26T08:57:32.413Z] runbld>>> Adding /usr/lib/jvm/java-8-openjdk-amd64/bin to the path.
[2020-08-26T08:57:32.413Z] Processing JUnit reports with runbld...
[2020-08-26T08:57:32.413Z] + echo 'Processing JUnit reports with runbld...'
[2020-08-26T08:57:32.985Z] runbld>>> <<<<<<<<<<<< SCRIPT EXECUTION END <<<<<<<<<<<<
[2020-08-26T08:57:32.985Z] runbld>>> DURATION: 28ms
[2020-08-26T08:57:32.985Z] runbld>>> STDOUT: 40 bytes
[2020-08-26T08:57:32.985Z] runbld>>> STDERR: 49 bytes
[2020-08-26T08:57:32.985Z] runbld>>> WRAPPED PROCESS: SUCCESS (0)
[2020-08-26T08:57:32.985Z] runbld>>> Searching for build metadata in /var/lib/jenkins/workspace/Beats_beats_PR-20652
[2020-08-26T08:57:33.558Z] runbld>>> Storing build metadata: 
[2020-08-26T08:57:33.558Z] runbld>>> Adding test report.
[2020-08-26T08:57:33.558Z] runbld>>> Searching for junit test output files with the pattern: TEST-.*\.xml$ in: /var/lib/jenkins/workspace/Beats_beats_PR-20652/src/github.com/elastic/beats
[2020-08-26T08:57:34.501Z] runbld>>> Found 16 test output files
[2020-08-26T08:57:35.890Z] runbld>>> Test output logs contained: Errors: 0 Failures: 1 Tests: 6387 Skipped: 796
[2020-08-26T08:57:36.151Z] runbld>>> Storing result
[2020-08-26T08:57:36.151Z] runbld>>> FAILURES: 1
[2020-08-26T08:57:36.413Z] runbld>>> Store result: updated {:total 2, :successful 2, :failed 0} 2
[2020-08-26T08:57:36.413Z] runbld>>> BUILD: https://c150076387b5421f9154dfbf536e5c60.us-west1.gcp.cloud.es.io:9243/build-1597739501209/t/20200826085731-0348D770
[2020-08-26T08:57:36.674Z] runbld>>> Email notification disabled by environment variable.
[2020-08-26T08:57:36.674Z] runbld>>> Slack notification disabled by environment variable.
[2020-08-26T08:57:42.640Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-20652
[2020-08-26T08:57:42.868Z] [INFO] getVaultSecret: Getting secrets
[2020-08-26T08:57:42.925Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2020-08-26T08:57:43.709Z] + chmod 755 generate-build-data.sh
[2020-08-26T08:57:43.709Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20652/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20652/runs/9 FAILURE 3145933
[2020-08-26T08:57:43.709Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20652/runs/9/steps/?limit=10000 -o steps-info.json
[2020-08-26T08:57:44.260Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20652/runs/9/tests/?status=FAILED -o tests-errors.json
[2020-08-26T08:57:44.810Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-20652/runs/9/log/ -o pipeline-log.txt

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[leehinman]

LGTM