filebeat/module/auditd: implement support for ENRICHED format logs

[efd6]

As described in https://github.com/elastic/integrations/issues/5343 for the auditd fleet integration auditd can have an ENRICHED format. This format uses the escape character (^[) to separate the standard structured data from the enriched fields resulting in failure of the original grok processor to construct fields correctly. This was fixed for the fleet package in elastic/integrations#8716, but the change was not reflected into the beats module.

Replay the equivalent of that PR for the filebeat auditd module here.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)