Fix kv parsing in auditd integration to properly support quoted values.

[Tacklebox]

The auditd integration uses regex patterns with the kv ingest pipeline processor to split key=value substrings out of the logs from auditd. Since the values can be arbitrary quoted data including whitespace, to fully support parsing the kv pairs, parsing should be done from the painless script instead to account for multiple spaces, escaped quotes/etc.

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[zez3]

Some examples

error.message: Processor "kv" with tag "" in pipeline "logs-auditd.log-3.20.1" failed with message "field [auditd.log.kv] does not contain value_split [(?<!\\)=]"

auditd.log.kv: apparmor="DENIED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/sbin/ntpd" name="run/systemd/journal/dev-log" pid=1722 comm="ntpd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

auditd.log.kv: apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="ubuntu_pro_esm_cache_systemd_detect_virt" pid=623809 comm="apparmor_parser"

event.original: type=AVC msg=audit(1725352551.341:838): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="ubuntu_pro_esm_cache_systemd_detect_virt" pid=91075 comm="apparmor_parser"

[zez3]

@andrewkroh

are you part of Team:Security-Linux Platform?

[kurtiam]

Hi @Tacklebox! Checking in to see if there's a status update on this issue?