filebeat/module/auditd: teach kv about quoted spaces

[efd6]

What does this PR do?

This allows parsing auditd messages that inclued quoted spaces

Why is it important?

Currently these messages cannot be processed.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works — incomplete see note
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• Note that running TESTING_FILEBEAT_MODULES=auditd MODULES_PATH=module GENERATE=1 mage -v pythonIntegTest did not generate the expected case for the added test, and yet the test still passed locally. This needs to be fixed before this PR is merged. Take a look at the integrations partner for this change that does have a complete test, auditd: teach kv about quoted spaces integrations#4858.

How to test this PR locally

Related issues

• Fixes Filebeat auditd ingest pipeline fails at kv processor when field value contains whitespaces #22587

Use cases

Screenshots

Logs

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[sonarqubecloud]

Please retry analysis of this Pull-Request directly on SonarCloud.

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-18T00:12:18.186+0000

• Duration: 71 min 24 sec

Test stats 🧪

Test	Results
Failed	0
Passed	7204
Skipped	742
Total	7946

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b 22587-auditd upstream/22587-auditd
git merge upstream/main
git push upstream 22587-auditd

[kcreddy]

LGTM 👍🏼
Yeah the test needs to be fixed and conflict resolved before merging.

[andrewkroh]

Only the first 100 events are verified and output to the golden file if I understand test_modules.py correctly. So if you want this to show up in a golden file then I recommend to move it to its own file.