Audit filter with query and user info in one record possible?

I have an audit filter which checks which users have created/dropped/altered users in the database.

I need user and host in the info however I cannot seem to find a way to include it in one record.

What I get in the audit filter log is something like :

“timestamp”: “2026-03-05 10:52:11”,
“id”: 349074,
“class”: “query”,
“event”: “query_start”,
“connection_id”: 174655,
“query_data”: {
“query”: “ALTER USER ‘test_user’@‘%’ IDENTIFIED BY ”,
“status”: 0,
“sql_command”: “alter_user”}

My current filter is:

SELECT audit_log_filter_set_filter(‘capture_required_events’, '{

“filter”: {

"class": \[

  {

    "name": "connection",

    "event": \[

      { "name": "connect" },

      { "name": "disconnect" },

      { "name": "failed_login" }

    \]

  },

  {

    "name": "query",

    "event": \[

      {

        "name": "start",

        "log": {

          "or": \[

            { "field": { "name": "sql_command_id", "value": "create_user" } },

            { "field": { "name": "sql_command_id", "value": "alter_user" } },

            { "field": { "name": "sql_command_id", "value": "drop_user" } }

          \]

        }

      }

    \]

  }

\]

}

}');

Please try this filter:

{
  "filter": {
    "class": {
      "name": "general",
      "event": {
        "name": "status",
        "log": {
          "or": [{
            "field": { 
              "name": "general_sql_command.str",
              "value": "create_user" 
            }
          },
          {
            "field": {
              "name": "general_sql_command.str",
              "value": "alter_user"
            }
          },
          {
            "field": {
              "name": "general_sql_command.str",
              "value": "drop_user"
            }
          }]
        }
      }
    }
  }
}

Here’s a sample from the audit log in XML format:

  <AUDIT_RECORD>
    <NAME>Status</NAME>
    <RECORD_ID>2_2026-03-06T00:43:31</RECORD_ID>
    <TIMESTAMP>2026-03-06T00:43:31</TIMESTAMP>
    <COMMAND_CLASS>General</COMMAND_CLASS>
    <CONNECTION_ID>52</CONNECTION_ID>
    <HOST>localhost</HOST>
    <IP></IP>
    <USER>root[root] @ localhost []</USER>
    <STATUS>0</STATUS>
    <SQLTEXT>ALTER USER 'test'@'localhost' IDENTIFIED BY &lt;secret&gt;</SQLTEXT>
  </AUDIT_RECORD>