Modern versions of auditd allow users to specify the ENRICHED log format but the module regexps disallow this.
from man auditd.conf:
log_format
The log format describes how the information should be stored on disk. There are 2 options: raw and enriched. If set to
RAW, the audit records will be stored in a format exactly as the kernel sends it. The ENRICHED option will resolve all uid,
gid, syscall, architecture, and socket address information before writing the event to disk. This aids in making sense of
events created on one system but reported/analized on another system. The NOLOG option is now deprecated. If you were set‐
ting this format, now you should set the write_logs option to no.
Module should allow ENRICHED and document its usage
Modern versions of auditd allow users to specify the
ENRICHED
log format but the module regexps disallow this.from
man auditd.conf
:Module should allow
ENRICHED
and document its usage