main/Auditd/decoders/auditd-user_and_cred.xml

<decoder name="auditd-user_and_cred">
  <prematch>^type=</prematch>
</decoder>

<!--
type=USER_ACCT msg=audit(1480087217.108:6042): pid=6013 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=10.10.10.100 addr=10.10.10.100 terminal=ssh res=success'

type=CRED_ACQ msg=audit(1480087217.108:6043): pid=6013 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=10.10.10.100 addr=10.10.10.100 terminal=ssh res=success'
-->

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <prematch offset="after_parent">^USER_ACCT |^CRED_ACQ |^USER_START |^CRED_REFR|^CRYPTO_KEY_USER|^CRYPTO_SESSION |^USER_AUTH |^USER_ROLE_CHANGE|^SERVICE_STOP </prematch>
  <regex offset="after_parent">^(\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
  <order>audit.type,audit.id</order>
</decoder>

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <regex offset="after_regex">^pid=(\S+) uid=(\S+) auid=(\S+) ses=(\S+)</regex>
  <order>audit.pid,audit.uid,audit.auid,audit.session</order>
</decoder>

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <regex offset="after_regex">subj=(\S+)</regex>
  <order>audit.subj</order>
</decoder>

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <regex offset="after_regex">acct="(\S+)"</regex>
  <order>audit.acct</order>
</decoder>

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <regex offset="after_regex">unit=(\S+)</regex>
  <order>audit.unit</order>
</decoder>

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <regex offset="after_regex">exe="(\S+)"</regex>
  <order>audit.exe</order>
</decoder>

<decoder name="auditd-user_and_cred">
  <parent>auditd-user_and_cred</parent>
  <regex offset="after_regex">addr=(\S+)</regex>
  <order>srcip</order>
</decoder>