Audit events do not consistently include the port number in "origin.address"

[tlrx]

Some types of audit event samples from our documentation include the port number in "origin.address", like access_denied:

{"type":"audit", "timestamp":"2020-12-30T22:30:06,949+0200", "node.id":
"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"transport", "event.action":
"access_denied", "authentication.type":"REALM", "user.name":"user1",
"user.realm":"default_native", "user.roles":["test_role"], "origin.type":
"rest", "origin.address":"[::1]:52434", "request.id":"yKOgWn2CRQCKYgZRz3phJw",
"action":"indices:admin/auto_create", "request.name":"CreateIndexRequest",
"indices":["<index-{now/d+1d}>"]}

but other types like connection_denied from this issue does not include the port:

{"type":"audit", "timestamp":"2020-12-30T21:47:31,526+0200", "node.id":
"0RMNyghkQYCc_gVd1G6tZQ", "event.type":"ip_filter", "event.action":
"connection_denied", "origin.type":"rest", "origin.address":"10.10.0.20",
"transport.profile":".http", "rule":"deny 10.10.0.0/16"}

I think we should be consistent here and always include the port number in the "origin.address" field.

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[albertzaharovits]

Nice catch! I agree this is a bug.
Internally the connectionGranted and connectionDenied events serialize, in the audit log, the peer's InetAddress which doesn't contain the remote port. Instead they should serialize the InetSocketAddress.