system.auth - sync pipeline with Fleet integration

Sync the pipeline for the system.auth dataset with the Fleet integration
from elastic/integrations#3705.

This removes the event.type authentication_failed and authentication_success
values which are not allowed as per ECS. You can use event.category: authentication
and event.outcome: success/failure to query instead.

filebeat/module/system/_meta/docs.asciidoc

@@ -63,6 +63,13 @@ include::../include/var-paths.asciidoc[]
 
 include::../include/var-paths.asciidoc[]
 
+*`var.tags`*::
+
+A list of tags to include in events. Including `forwarded` indicates that the
+events did not originate on this host and causes `host.name` to not be added to
+events. Include `preserve_orginal_event` causes the pipeline to retain the raw
+log in `event.original`. Defaults to `[]`.
+
 include::../include/timezone-support.asciidoc[]
 
 [float]

filebeat/module/system/auth/config/auth.yml

@@ -4,12 +4,14 @@ paths:
  - {{$path}}
 {{ end }}
 exclude_files: [".gz$"]
+
 multiline:
   pattern: "^\\s"
   match: after
+
 processors:
   - add_locale: ~
-  - add_fields:
-      target: ''
-      fields:
-        ecs.version: 1.12.0
+
+tags: {{ .tags | tojson }}
+
+publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}