Logging from where user connected?

Hello On certain servers (Ubuntu 14.04 and Ubuntu 16.04, with auditd 2.3.2 and v2.4.5), we'd like to log all the commands that root has run, or that were run as root. For that, I added the following rules: # Log all commands run as (or by) root -a exit,always -F arch=b64 -F euid=0 -S execve -k exec_root -a exit,always -F arch=b32 -F euid=0 -S execve -k exec_root When I now do an "ausearch -k exec_root -i", I get: … ---- type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL type=PATH msg=audit(20.06.2016 15:28:06.976:65023) : item=0 name=/usr/bin/sudo inode=396945 dev=fc:01 mode=file,suid,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL type=CWD msg=audit(20.06.2016 15:28:06.976:65023) : cwd=/home/local type=EXECVE msg=audit(20.06.2016 15:28:06.976:65023) : argc=5 a0=sudo a1=ausearch a2=-k a3=exec_root a4=-i type=BPRM_FCAPS msg=audit(20.06.2016 15:28:06.976:65023) : fver=0 fp=none fi=none fe=none old_pp=none old_pi=none old_pe=none new_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend new_pi=none new_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend type=SYSCALL msg=audit(20.06.2016 15:28:06.976:65023) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fff4981a280 a1=0x7f7482187bd8 a2=0x1bfcf40 a3=0x7fff49819e80 items=2 ppid=11261 pid=14093 auid=local uid=local gid=local euid=root suid=root fsuid=root egid=local sgid=local fsgid=local tty=pts1 ses=15 comm=sudo exe=/usr/bin/sudo key=exec_root ---- type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=2952 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL type=PATH msg=audit(20.06.2016 15:28:06.980:65025) : item=0 name=/sbin/ausearch inode=618 dev=fc:01 mode=file,755 ouid=root ogid=root rdev=00:00 nametype=NORMAL type=CWD msg=audit(20.06.2016 15:28:06.980:65025) : cwd=/home/local type=EXECVE msg=audit(20.06.2016 15:28:06.980:65025) : argc=4 a0=ausearch a1=-k a2=exec_root a3=-i type=SYSCALL msg=audit(20.06.2016 15:28:06.980:65025) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x7fc01c0e0618 a1=0x7fc01c0e0638 a2=0x7fc01c0e5cd0 a3=0x7fff84d454c0 items=2 ppid=14093 pid=14094 auid=local uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=15 comm=ausearch exe=/sbin/ausearch key=exec_root Now I'd like to know, from where that user connected. That user is on tty=pts1, so do I have to use last? local@app01-test ~ % last pts/1 local pts/1 10.8.0.1 Mon Jun 20 13:26 still logged in … That's fine, as long as /var/log/wtmp* exists. But is there maybe a way to get that information right away, without having to consult a different logfile (eg. /var/log/wtmp)? Additionally, if I'd like auditd to do remote logging (ie. send logs off of the system), I'd have to use audispd, wouldn't I? How would I then get hold of the right wtmp file? I've got the feeling, that this might become quite complicated, if numerous servers would do remote logging to one central system... Would be quite thankful, if somebody could help :) Thanks a lot, Alexander