I am working on some analysis on audit.log file, as per the documentation: https://docs.infoblox.com/display/nios84/Audit+Log, it shows different formats for logs, one which is seen at the majority of places is of form - <timestamp user action object objectname message>, but some seem to have different formats, like some being Quotas and GSS-TSIG.

Reference: 

https://docs.infoblox.com/display/nios84/Monitoring+Tools#MonitoringTools-bookmark2813
https://docs.infoblox.com/display/nios84/Audit+Log

I wanted to ask two questions:

1) If I am getting logs in syslog, then it has various other logs as well like DHCPD, DNS, and other information, for dhcpd, if i have string dhcpd in the log, I can classify it as dhcpd log and for threat protect if it is in the log, then it could be classified as threat protect log. If I want to figure out whether a particular log is from audit.log, is there anyway, which by looking into a log, can tell me that this log is from audit.log.

2) If I see audit.log in grid manager, I can see all values divided into columns but for events like Quotas and GSS-TSIG, how does they look into that, as it doesn't have all information as seen from its message in this link: https://docs.infoblox.com/display/nios84/Audit+Log

So is there a standard format that could help me to find values based on the fields from audit.log file, as in something like this: <timestamp user action object objectname message>