When an operation is performed on a shard from a mongos, the mongos authenticates to the shard as the internal __system user. When logging the command's metadata, it propagates the actual end user's name and roles in a subdocument called $audit with two fields: $impersonatedUsers and $impersonatedRoles. This field does not appear in slow query logs for operations performed on a mongod from a directly-connected driver authenticated as a regular user.

We should consider logging an operation's user's username in its slow query log even in non-impersonation cases so the information is always available.