[7.15](backport #27638) Filebeat auditd: Fix Top Exec Commands dashboard visualization

[mergify]

This is an automatic backport of pull request #27638 done by Mergify.
Cherry-pick of 02315d9 has failed:

On branch mergify/bp/7.15/pr-27638
Your branch is up to date with 'origin/7.15'.

You are currently cherry-picking commit 02315d973c.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   CHANGELOG.next.asciidoc

Unmerged paths:
  (use "git add/rm <file>..." as appropriate to mark resolution)
	deleted by us:   filebeat/module/auditd/_meta/kibana/7/visualization/5ebdbe50-0a0f-11e7-825f-6748cda7d858-ecs.json

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/github/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

---

Mergify commands and options

More conditions and actions can be found in the documentation.

You can also trigger Mergify actions by commenting on this pull request:

• @Mergifyio refresh will re-evaluate the rules
• @Mergifyio rebase will rebase this PR on its base branch
• @Mergifyio update will merge the base branch into this PR
• @Mergifyio backport <destination> will backport this PR on <destination> branch

Additionally, on Mergify dashboard you can:

• look at your merge queues
• generate the Mergify configuration with the config editor.

Finally, you can contact us on https://mergify.io/

[botelastic]

This pull request doesn't have a Team:<team> label.

[adriansr]

This backport doesn't merge cleanly due to file renames, better to backport a custom PR

[elasticmachine]

💔 Tests Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2021-08-30T13:50:57.515+0000

• Duration: 57 min 12 sec

• Commit: 51224bb

Test stats 🧪

Test	Results
Failed	1
Passed	5883
Skipped	662
Total	6546

Trends 🧪

Test errors

Expand to view the tests failures

Build&Test / filebeat-goIntegTest / TestFilestreamTruncateBlockedOutput – github.com/elastic/beats/v7/filebeat/input/filestream

Expand to view the error details

 Failed 

Expand to view the stacktrace

 === RUN   TestFilestreamTruncateBlockedOutput
    environment_test.go:185: error when getting expected key 'filestream::.global::native::9305043-109' from store: failed in store/get operation on store 'filebeat': expected object
--- FAIL: TestFilestreamTruncateBlockedOutput (0.01s)
 

Steps errors

Expand to view the steps failures

filebeat-goIntegTest - mage goIntegTest

• Took 5 min 33 sec . View more details on here
• Description: mage goIntegTest

filebeat-goIntegTest - mage goIntegTest

• Took 2 min 40 sec . View more details on here
• Description: mage goIntegTest

filebeat-goIntegTest - mage goIntegTest

• Took 2 min 42 sec . View more details on here
• Description: mage goIntegTest

List files to upload

• Took 0 min 0 sec . View more details on here
• Description: ls -l src/github.com/elastic/beats/build/system-tests-*.tar.gz

Error signal

• Took 0 min 0 sec . View more details on here
• Description: Error 'hudson.AbortException: script returned exit code 1'

Log output

Expand to view the last 100 lines of log output

[2021-08-30T14:26:10.280Z] + gsutil --version
[2021-08-30T14:26:12.262Z] Masking supported pattern matches of $FILE_CREDENTIAL
[2021-08-30T14:26:12.671Z] + gcloud auth activate-service-account --key-file ****
[2021-08-30T14:26:13.247Z] Activated service account credentials for: [[email protected]]
[2021-08-30T14:26:13.973Z] + gsutil -m -q cp ZmlsZWJlYXQtcHl0aG9uSW50ZWdUZXN0NTEyMjRiYmQwNGM2ZjFmNzQyMzg1MjllNzU2NTRiMjlhMDMyYmMwNw gs://beats-ci-temp/ci/cache/
[2021-08-30T14:29:51.707Z] ........................................................................ [ 47%]
[2021-08-30T14:36:17.979Z] ........................................................................ [ 64%]
[2021-08-30T14:41:29.236Z] ........................................................................ [ 81%]
[2021-08-30T14:46:38.266Z] ........................................................................ [ 97%]
[2021-08-30T14:47:30.318Z] .........                                                                [100%]
[2021-08-30T14:47:30.318Z] 
[2021-08-30T14:47:30.318Z] =============================== warnings summary ===============================
[2021-08-30T14:47:30.318Z] x-pack/filebeat/tests/system/test_xpack_modules.py: 406 warnings
[2021-08-30T14:47:30.318Z]   /go/src/github.com/elastic/beats/build/ve/docker/lib/python3.7/site-packages/elasticsearch/connection/base.py:177: ElasticsearchDeprecationWarning: [script.max_compilations_rate] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
[2021-08-30T14:47:30.318Z]     warnings.warn(message, category=ElasticsearchDeprecationWarning)
[2021-08-30T14:47:30.318Z] 
[2021-08-30T14:47:30.318Z] x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_000_rabbitmq
[2021-08-30T14:47:30.318Z]   /go/src/github.com/elastic/beats/build/ve/docker/lib/python3.7/site-packages/elasticsearch/connection/base.py:177: ElasticsearchDeprecationWarning: [script.cache.max_size] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version.
[2021-08-30T14:47:30.318Z]     warnings.warn(message, category=ElasticsearchDeprecationWarning)
[2021-08-30T14:47:30.318Z] 
[2021-08-30T14:47:30.318Z] -- Docs: https://docs.pytest.org/en/stable/warnings.html
[2021-08-30T14:47:30.318Z] - generated xml file: /go/src/github.com/elastic/beats/x-pack/filebeat/build/TEST-python-integration.xml -
[2021-08-30T14:47:30.318Z] ============================= slowest 20 durations =============================
[2021-08-30T14:47:30.318Z] 40.39s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_257_checkpoint
[2021-08-30T14:47:30.318Z] 25.63s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_000_rabbitmq
[2021-08-30T14:47:30.318Z] 17.27s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_356_o365
[2021-08-30T14:47:30.318Z] 16.12s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_188_snort
[2021-08-30T14:47:30.318Z] 15.07s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_350_o365
[2021-08-30T14:47:30.318Z] 13.79s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_024_threatintel
[2021-08-30T14:47:30.318Z] 10.94s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_404_ibmmq
[2021-08-30T14:47:30.318Z] 10.36s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_405_ibmmq
[2021-08-30T14:47:30.318Z] 10.19s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_023_threatintel
[2021-08-30T14:47:30.318Z] 10.15s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_215_panw
[2021-08-30T14:47:30.318Z] 9.94s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_217_panw
[2021-08-30T14:47:30.318Z] 9.87s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_402_zscaler
[2021-08-30T14:47:30.318Z] 9.83s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_212_panw
[2021-08-30T14:47:30.318Z] 9.83s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_175_cisco
[2021-08-30T14:47:30.318Z] 9.82s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_183_cisco
[2021-08-30T14:47:30.318Z] 9.78s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_216_panw
[2021-08-30T14:47:30.318Z] 9.36s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_159_cisco
[2021-08-30T14:47:30.318Z] 9.35s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_263_gcp
[2021-08-30T14:47:30.318Z] 9.16s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_030_threatintel
[2021-08-30T14:47:30.318Z] 9.14s call     x-pack/filebeat/tests/system/test_xpack_modules.py::XPackTest::test_fileset_file_248_juniper
[2021-08-30T14:47:30.318Z] ================ 430 passed, 407 warnings in 1871.80s (0:31:11) ================
[2021-08-30T14:47:30.318Z] >> python test: Integration Testing Complete
[2021-08-30T14:47:33.178Z] Timeout set to expire in 5 min 0 sec
[2021-08-30T14:47:33.523Z] Cleaning up /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831
[2021-08-30T14:47:33.524Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-08-30T14:47:33.524Z] ++ id -u
[2021-08-30T14:47:33.524Z] ++ id -g
[2021-08-30T14:47:33.524Z] + docker run -v /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1170:1171 {} \;'
[2021-08-30T14:47:33.524Z] Unable to find image 'alpine:3.4' locally
[2021-08-30T14:47:34.096Z] 3.4: Pulling from library/alpine
[2021-08-30T14:47:34.357Z] c1e54eec4b57: Pulling fs layer
[2021-08-30T14:47:34.618Z] c1e54eec4b57: Verifying Checksum
[2021-08-30T14:47:34.618Z] c1e54eec4b57: Download complete
[2021-08-30T14:47:34.880Z] c1e54eec4b57: Pull complete
[2021-08-30T14:47:34.880Z] Digest: sha256:b733d4a32c4da6a00a84df2ca32791bb03df95400243648d8c539e7b4cce329c
[2021-08-30T14:47:34.880Z] Status: Downloaded newer image for alpine:3.4
[2021-08-30T14:47:36.795Z] + set -e
[2021-08-30T14:47:36.795Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-08-30T14:47:36.795Z] Change permissions with write access of all files inside the specific folder
[2021-08-30T14:47:36.795Z] + chmod -R +w /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831
[2021-08-30T14:47:37.467Z] Running in /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831/src/github.com/elastic/beats/build
[2021-08-30T14:47:37.802Z] + rm -rf ve
[2021-08-30T14:47:37.802Z] + find . -type d -name vendor -exec rm -r {} ;
[2021-08-30T14:47:38.194Z] + python .ci/scripts/pre_archive_test.py
[2021-08-30T14:47:40.742Z] Copy ./x-pack/filebeat/build into build/x-pack/filebeat/build
[2021-08-30T14:47:40.777Z] Running in /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831/src/github.com/elastic/beats/build
[2021-08-30T14:47:40.831Z] Recording test results
[2021-08-30T14:47:42.567Z] [Checks API] No suitable checks publisher found.
[2021-08-30T14:47:43.067Z] + go clean -modcache
[2021-08-30T14:47:46.442Z] Timeout set to expire in 5 min 0 sec
[2021-08-30T14:47:46.798Z] Cleaning up /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831
[2021-08-30T14:47:46.798Z] Change ownership of all files inside the specific folder from root/root to current user/group
[2021-08-30T14:47:46.798Z] ++ id -u
[2021-08-30T14:47:46.798Z] ++ id -g
[2021-08-30T14:47:46.798Z] + docker run -v /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831:/beat alpine:3.4 sh -c 'find /beat -user 0 -exec chown -h 1170:1171 {} \;'
[2021-08-30T14:47:56.809Z] + set -e
[2021-08-30T14:47:56.809Z] + echo 'Change permissions with write access of all files inside the specific folder'
[2021-08-30T14:47:56.809Z] Change permissions with write access of all files inside the specific folder
[2021-08-30T14:47:56.809Z] + chmod -R +w /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831
[2021-08-30T14:47:57.178Z] Running in /var/lib/jenkins/workspace/PR-27645-1-38d0e2bf-35fb-4572-bf1a-3052076f1831
[2021-08-30T14:48:01.990Z] + gsutil --version
[2021-08-30T14:48:03.434Z] Masking supported pattern matches of $FILE_CREDENTIAL
[2021-08-30T14:48:03.807Z] + gcloud auth activate-service-account --key-file ****
[2021-08-30T14:48:04.460Z] Activated service account credentials for: [[email protected]]
[2021-08-30T14:48:05.132Z] + gsutil -m -q cp eC1wYWNrL2ZpbGViZWF0LXB5dGhvbkludGVnVGVzdDUxMjI0YmJkMDRjNmYxZjc0MjM4NTI5ZTc1NjU0YjI5YTAzMmJjMDc gs://beats-ci-temp/ci/cache/
[2021-08-30T14:48:07.672Z] Stage "Extended" skipped due to earlier failure(s)
[2021-08-30T14:48:07.794Z] Stage "Packaging" skipped due to earlier failure(s)
[2021-08-30T14:48:07.923Z] Stage "Packaging-Pipeline" skipped due to earlier failure(s)
[2021-08-30T14:48:08.119Z] Running in /var/lib/jenkins/workspace/Beats_beats_PR-27645/src/github.com/elastic/beats
[2021-08-30T14:48:08.721Z] Running on Jenkins in /var/lib/jenkins/workspace/Beats_beats_PR-27645
[2021-08-30T14:48:08.858Z] [INFO] getVaultSecret: Getting secrets
[2021-08-30T14:48:08.934Z] Masking supported pattern matches of $VAULT_ADDR or $VAULT_ROLE_ID or $VAULT_SECRET_ID
[2021-08-30T14:48:10.146Z] + chmod 755 generate-build-data.sh
[2021-08-30T14:48:10.146Z] + ./generate-build-data.sh https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27645/ https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27645/runs/1 FAILURE 3432342
[2021-08-30T14:48:10.146Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27645/runs/1/steps/?limit=10000 -o steps-info.json
[2021-08-30T14:48:12.008Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27645/runs/1/tests/?status=FAILED -o tests-errors.json
[2021-08-30T14:48:12.008Z] INFO: curl https://beats-ci.elastic.co/blue/rest/organizations/jenkins/pipelines/Beats/beats/PR-27645/runs/1/log/ -o pipeline-log.txt

🐛 Flaky test report

❕ There are test failures but not known flaky tests.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	1
Passed	5883
Skipped	662
Total	6546

Genuine test errors

💔 There are test failures but not known flaky tests, most likely a genuine test failure.

• Name: Build&Test / filebeat-goIntegTest / TestFilestreamTruncateBlockedOutput – github.com/elastic/beats/v7/filebeat/input/filestream