I have attached the output from _ingest/pipeline/filebeat-7.0.0 * and included the extract from "filebeat-7.0.0-system-auth-pipeline" below:
"filebeat-7.0.0-system-auth-pipeline":{"description":"Pipeline for parsing system authorisation/secure logs","processors":[{"grok":{"field":"message","ignore_missing":true,"pattern_definitions":{"GREEDYMULTILINE":"(.|\n)"},"patterns":["%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:user.name} from %{IPORHOST:source.ip} port %{NUMBER:source.port:long} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?","%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{DATA:system.auth.ssh.event} user %{DATA:user.name} from %{IPORHOST:source.ip}","%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}","%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: \s%{DATA:user.name} %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}","%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: new group: name=%{DATA:group.name}, GID=%{NUMBER:group.id}","%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: new user: name=%{DATA:user.name}, UID=%{NUMBER:user.id}, GID=%{NUMBER:group.id}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$","%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:host.hostname}? %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.auth.message}"]}},{"remove":{"field":"message"}},{"rename":{"target_field":"message","ignore_missing":true,"field":"system.auth.message"}},{"set":{"field":"source.ip","value":"{{system.auth.ssh.dropped_ip}}","if":"ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')"}},{"date":{"field":"system.auth.timestamp","target_field":"@timestamp","formats":["MMM d HH:mm:ss","MMM dd HH:mm:ss"],"ignore_failure":true}},{"remove":{"field":"system.auth.timestamp"}},{"geoip":{"field":"source.ip","target_field":"source.geo","ignore_failure":true}},{"script":{"lang":"painless","ignore_failure":true,"source":"if (ctx.system.auth.ssh.event == "Accepted") { if (!ctx.containsKey("event")) { ctx.event = [:]; } ctx.event.type = "authentication_success"; ctx.event.category = "authentication"; ctx.event.action = "ssh_login"; ctx.event.outcome = "success"; } else if (ctx.system.auth.ssh.event == "Invalid" || ctx.system.auth.ssh.event == "Failed") { if (!ctx.containsKey("event")) { ctx.event = [:]; } ctx.event.type = "authentication_failure"; ctx.event.category = "authentication"; ctx.event.action = "ssh_login"; ctx.event.outcome = "failure"; }"}}],"on_failure":[{"set":{"field":"error.message","value":"{{ _ingest.on_failure_message }}"}}]},"filebeat-7.0.0-system-syslog-pipeline":{"description":"Pipeline for parsing Syslog messages.","processors":[{"grok":{"field":"message","patterns":["%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}","%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}","%{TIMESTAMP_ISO8601:system.syslog.timestamp} %{SYSLOGHOST:host.hostname} %{DATA:process.name}(?:\[%{POSINT:process.pid:long}\])?: %{GREEDYMULTILINE:system.syslog.message}"],"pattern_definitions":{"GREEDYMULTILINE":"(.|\n)*"},"ignore_missing":true}},{"remove":{"field":"message"}},{"rename":{"ignore_missing":true,"field":"system.syslog.message","target_field":"message"}},{"date":{"target_field":"@timestamp","formats":["MMM d HH:mm:ss","MMM dd HH:mm:ss","yyyy-MM-dd'T'HH:mm:ss.SSSSSSZZ"],"ignore_failure":true,"field":"system.syslog.timestamp"}},{"remove":{"field":"system.syslog.timestamp"}}],"on_failure":[{"set":{"field":"error.message","value":"{{ _ingest.on_failure_message }}"}}]},"filebeat-7.0.0-elasticsearch-deprecation-pipeline":{"description":"Pipeline for parsing elasticsearch deprecation logs","processors":[{"rename":{"field":"@timestamp","target_field":"event.created"}},{"grok":{"field":"message","patterns":["^%{CHAR:first_char}"],"pattern_definitions":{"CHAR":"."}}},{"pipeline":{"if":"ctx.first_char != '{'","name":"filebeat-7.0.0-elasticsearch-deprecation-pipeline-plaintext"}},{"pipeline":{"if":"ctx.first_char == '{'","name":"filebeat-7.0.0-elasticsearch-deprecation-pipeline-json"}},{"date":{"formats":["ISO8601"],"ignore_failure":true,"field":"elasticsearch.deprecation.timestamp","target_field":"@timestamp"}},{"remove":{"field":"elasticsearch.deprecation.timestamp"}},{"remove":{"field":["first_char"]}}],"on_failure":[{"set":{"field":"error.message","value":"{{ _ingest.on_failure_message }}"}}]}}