[Auditbeat] System module sets disallowed value ("error") in ECS event.kind field

[MikePaquette]

• Stack Version: 7.8.0. BC4
• Beat Version: 7.8.0 BC3
• ECS Version: 1.5.0
• Operating System: macOS 10.14.6 (18G3020)
• Steps to Reproduce: run auditbeat system module on macOS system. When the following condition occurs:

"message": "ERROR for PID 16250: failed to load process information for PID 16250: no such process",
    "error": {
      "message": "failed to load process information for PID 16250: no such process"
    },

Current behavior:
The event contains. event.kind:error. "error" is not a value of event.kind allowed by ECS 1.5.0

"service": {
    "type": "system"
  },
  "event": {
    "category": [
      "process"
    ],
    "type": [
      "info"
    ],
    "action": "process_error",
    "module": "system",
    "dataset": "process",
    "kind": "error"

Expected Behavior:
The event should contain event.kind:event or some other value allowed by ECS1.5.0 which are listed here: https://www.elastic.co/guide/en/ecs/current/ecs-allowed-values-event-kind.html

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[andrewstucki]

@MikePaquette auditbeat appears to have shipped this ever since 6.6 -- #9693 appears to be the PR that introduced this, specifically this line -- I believe this was prior to the explicit enumeration of ECS-allowed categorization values. I can fix it in master, but due to this being a breaking change in beats, I don't believe we can ship the fix until 8.0 is cut.