linux

How to decrypt debian audit logs and find where the script is being run from?

There is a piece of the system audit, in theory there is "illegal" going on in it, but I can't figure out how to find out where the script is being launched from, there are no folders and file "/tmp/r.sh", well, or I can't find it:
(Zy -i doesn't really change anything for ausearch )
type=SYSCALL msg=audit(1524920677.244:1631980): arch=c000003e syscall=59 success=yes exit=0 a0=7fff0849fed0 a1=7fff0849e760 a2=7fff0849e770 a3=5b5 items=3 ppid=1 =12237 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="r.sh" exe="/bin/ bash" key="webserver-watch-tmp"
type=EXECVE msg=audit(1524920677.244:1631980): argc=2 a0="/bin/bash" a1="/tmp/r.sh"
type=EXECVE msg=audit (1524920677.244:1631980): argc=1 a0="/bin/bash"
type=CWD msg=audit(1524920677.244:1631980): cwd="/var/www/username/data/www/site folder address"
type=PATH msg=audit(1524920677.244:1631980): item=0 name="/ tmp/r.sh" inode=57543177 dev=fd:01 mode=0100755 ouid=33 ogid=33 rdev=00:00
type=PATH msg=audit(1524920677.244:1631980): item=1 name=(null) inode= 42459137 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1524920677.244:1631980): item=2 name=(null) inode=27025442 dev=fd:01 mode= 0100755 ouid=0 ogid=0 rdev=00:00