Auditbeat file module improvements (#4636)

Unify the behavior across operating systems.

- Add tests.
- Resolve UID/GID/SID into owner/group.
- Log warning if a file watch cannot be added. Previously it would fail at startup.
- Remove usage of fsevents on macOS and use kqueues instead. The data provided was inconsistent with the fsnotify. It was valuable data but the signal needs some refinement to make it consistent. The biggest issue is that multiple events are coalesced into one. Another issue is that the watches are recursive (this is great, but it's inconsistent) and we will need to allow a glob to be specified then match the incoming events against the glob (future enhancement).
- Document hash fields
- Initialize watches on Start() rather than at construction time.
- Update data.json to include file owner and group names.
- Add file type and symlink target path to the events.
- Filter fsnotify events with empty paths (saw this once on Windows).

* Add auditbeat file dashboard

- Change mode format to %#04o to always get a leading 0 and a minimum of 4 digits.
- Change Stat of Lstat in assertSameFile
- Reduce code duplication between linux and bsd platforms.

Vagrantfile

@@ -55,6 +55,15 @@ cd ~/go/src/github.com/elastic
 if [ -d "/vagrant" ]; then ln -s /vagrant beats; fi
 SCRIPT
 
+# Linux GVM
+$linuxGvmProvision = <<SCRIPT
+mkdir -p ~/bin
+curl -sL -o ~/bin/gvm https://github.com/andrewkroh/gvm/releases/download/v0.0.1/gvm-linux-amd64
+chmod +x ~/bin/gvm
+echo 'export PATH=~/bin:$PATH' >> ~/.bash_profile
+echo 'eval "$(gvm 1.8.3)"' >> ~/.bash_profile
+SCRIPT
+
 Vagrant.configure(2) do |config|
 
   # Windows Server 2012 R2
@@ -110,6 +119,18 @@ Vagrant.configure(2) do |config|
     openbsd.vm.provision "shell", inline: $unixProvision, privileged: false
   end
 
+  # CentOS 7
+  config.vm.define "centos7", primary: true do |centos7|
+    #centos7.vm.box = "http://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1706_02.VirtualBox.box"
+    centos7.vm.box = "ubuntu/precise64"
+    centos7.vm.network :forwarded_port, guest: 22,   host: 2226,  id: "ssh", auto_correct: true
+
+    centos7.vm.provision "shell", inline: $unixProvision, privileged: false
+    centos7.vm.provision "shell", inline: $linuxGvmProvision, privileged: false
+
+    centos7.vm.synced_folder ".", "/vagrant", type: "virtualbox"
+  end
+
 end
 
 # -*- mode: ruby -*-

auditbeat/docs/fields.asciidoc

@@ -47,16 +47,30 @@ type: keyword
 
 The path to the file.
 
+[float]
+=== audit.file.target_path
+
+type: keyword
+
+The target path for symlinks.
+
 [float]
 === audit.file.action
 
 type: keyword
 
 example: attributes_modified
 
-Action describes the change to the file. The possible values are: attributes_modified, created, deleted, updated, moved_to, collision_within, unmounted, root_changed.
+Action describes the change to the file. The possible values are: attributes_modified, created, deleted, updated, and moved.
 
 
+[float]
+=== audit.file.type
+
+type: keyword
+
+The file type (file, dir, or symlink).
+
 [float]
 === audit.file.inode
 
@@ -92,6 +106,13 @@ type: keyword
 
 The primary group name of the file.
 
+[float]
+=== audit.file.sid
+
+type: keyword
+
+The security identifier (SID) of the file owner (Windows only).
+
 [float]
 === audit.file.mode
 
@@ -137,6 +158,27 @@ type: boolean
 Boolean indicating if the event includes a file hashes. If true the md5, sha1, and sha256 fields will be present.
 
 
+[float]
+=== audit.file.md5
+
+type: keyword
+
+MD5 hash of the file.
+
+[float]
+=== audit.file.sha1
+
+type: keyword
+
+SHA1 hash of the file.
+
+[float]
+=== audit.file.sha256
+
+type: keyword
+
+SHA256 hash of the file.
+
 [float]
 == kernel Fields