Audit ALL Sudo users and show the users UID( ) not root's UID (0)

I'm trying to log ALL users activities using su/sudo's but the logs show UID (0) root, I want to see the actual UID of the user and not Root.

I've tried the Auditctl service and I've search for PAM howto about this with no success. Now I'm trying Sudoreplay.

If everyone has a recommendation or fix that would be great.


In the audit log, the original UID is logged as auid in the SYSCALL line.

For example:

time->Fri Oct  2 15:34:34 2020
type=PROCTITLE msg=audit(1601667274.747:64171): proctitle=73797374656D63746C0073746174757300617564697464
type=PATH msg=audit(1601667274.747:64171): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=214448 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1601667274.747:64171): item=0 name="/usr/bin/systemctl" inode=201559964 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_systemctl_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1601667274.747:64171): cwd="/root"
type=EXECVE msg=audit(1601667274.747:64171): argc=3 a0="systemctl" a1="status" a2="auditd"
type=SYSCALL msg=audit(1601667274.747:64171): arch=c000003e syscall=59 success=yes exit=0 a0=558ba44792a0 a1=558ba4473c40 a2=558ba4472790 a3=8 items=2 ppid=4070001 pid=1495656 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="systemctl" exe="/usr/bin/systemctl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="auditcmd"