Introduce event.flags

[ruflin]

events can go through multiple entities and processing stages. To indicate multiple processing stages in filebeat for log events we introduced log.flags elastic/beats#7991. Some example for these flags are truncated, multiline. I think this could be more generic on the ECS side that we have event.flags so it's possible to add flags that provide additional meta information event.

[ypid-geberit]

I created #1379 to document the de facto standard and for me to have something that I can for now use at ECS level custom internally.

[ebeahan]

log.flags continues to be set by the line readers in Beats. Couple of examples:

https://github.com/elastic/beats/blob/master/libbeat/reader/multiline/message_buffer.go#L123
https://github.com/elastic/beats/blob/master/libbeat/reader/readfile/limit.go#L48

Since this mechanism is low-level and relates to the event's logging mechanism and not context around the event itself, I lean towards formalizing the existing log.flags field vs. introducing event.flags.

[ebeahan]

@kvch @urso Do you have any thoughts about formalizing the log.flags field by adding it into ECS along with the field's expected values (truncated, multiline)?