User identity in the audit report
The audit report indicates the identity of the user who performed a specific action. The full identity of the user includes the user name and the domain or the host name that is associated with the authenticated user.
A user's identity appears in the audit report as follows:
Audit events always include the full user identity. Root users and administrators are logged as "root@hostname" or "administrator@hostname".
The image browse and image restore events always include the user ID in the audit event.
The order of the elements for the user principal is "
domain:username:domainType:providerId". The domain value does not apply for Linux computers. For that platform, the user principal is:username:domainType:providerId.For any operations that do not require credentials or require the user to sign in, operations are logged without a user identity.