[auditbeat][fim] Update Auditbeat file_integrity module to default to auto backend with intelligent fallback

[marc-gr]

Proposed commit message

The auto backend option now tries the backends in order until the best available option is found

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works. Where relevant, I have used the stresstest.sh script to run them under stress conditions and race detector to verify their stability.
• I have added an entry in ./changelog/fragments using the changelog tool.

Disruptive User Impact

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Closes [auditbeat][fim] Improve handling of backend choice #46690

Use cases

Screenshots

Logs

[elasticmachine]

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

[github-actions]

🤖 GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[github-actions]

🔍 Preview links for changed docs

• docs/reference/auditbeat/auditbeat-module-file_integrity.md
• docs/reference/auditbeat/auditbeat-reference-yml.md

[nicholasberlin]

LGTM

[colleenmcginnis]

I left some suggestions below on how to structure cumulative documentation.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c44f2bc-ecd0-4e2c-a923-70e17b8584aa

📥 Commits

Reviewing files that changed from the base of the PR and between 0bd2296 and 6cd36d1.

📒 Files selected for processing (2)

• auditbeat/module/file_integrity/_meta/docs.md
• docs/reference/auditbeat/auditbeat-module-file_integrity.md

---

📝 Walkthrough

Walkthrough

The file_integrity module's backend default changed from fsnotify to auto. A centralized event-reader initialization layer was added that selects backends by platform-specific priority (Linux: ebpf → kprobes → fsnotify; Windows: etw → fsnotify; others: fsnotify) and tries initializers in order. Backend initializers now perform upfront availability checks and return errors early. Validation now checks against supportedBackends. Platform-specific eventreader_*.go files provide autoBackendOrder and supportedBackends mappings. Tests, docs, and reference YAMLs were updated accordingly.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR implements all core objectives from #46690: auto backend with platform-specific preferences (Linux: eBPF→kprobes→fsnotify; Windows: ETW→fsnotify) and explicit backend selection without fallback.
Out of Scope Changes check	✅ Passed	All changes align with auto backend implementation: config updates, backend initialization refactoring, documentation, tests, and changelog are in scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

• 🛠️ Update Documentation: Commit on current branch
• 🛠️ Update Documentation: Create PR

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[marc-gr]

cc @elastic/ingest-docs please if anyone can take a look

[alexandra5000]

LGTM with some minor changes 🙂

[vishaangelova]

Some suggestions to update the applies_to badges with the syntax for version ranges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@auditbeat/module/file_integrity/_meta/docs.md`:
- Around line 103-104: The Linux backend applicability is inconsistent: the
block showing "{applies_to}`stack: preview 9.4.0+` `auto`" conflicts with the
other occurrence that marks Linux `auto` as GA; update this snippet so the Linux
backend uses the same GA applicability range as the other reference (replace the
preview applicability for `auto` with the GA range used elsewhere), ensuring the
two lines that mention `{applies_to}`stack: preview 9.4.0+` `auto`` and
`{applies_to}`stack: ga 9.0.0-9.3` `fsnotify`` are aligned and consistent.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a26faf8a-e57a-415f-9945-a0cdb2b82156

📥 Commits

Reviewing files that changed from the base of the PR and between c98434e and 0bd2296.

📒 Files selected for processing (2)

• auditbeat/module/file_integrity/_meta/docs.md
• docs/reference/auditbeat/auditbeat-module-file_integrity.md

[vishaangelova]

LGTM