Describe the bug
Audit logs have timestamp in json great!, but time field is pushed back in the record. Previously ( older vault version say 1.15.4 ) it used to be as the first field in log.

Why it matters?
Log forwarders slurp the audit file and forward to their servers.

1. Time stamp is generally searched within ~100 chars of each line
2. Uniqueness of each record to determine a file or record is already forwarded is generally based on first ~250 chars

In our case, we use Splunk. The Splunk UI shows that it is guessing time for each event ( not accurate ) and it is all returned as text blobs, previously it is all jsonsyntax highlighted.

To Reproduce
Steps to reproduce the behavior:

Create a audit logger device

1. Run vault server --dev
2. Run VAULT_ADDR=http://localhost:8200 VAULT_TOKEN=hvs.XwVUGXnMXazhsTE8zDMwgDhL vault audit enable file elide_list_responses=true file_path=stdout
3. Audit log

{"auth":....,"request":....,"time":"2025-08-06T13:52:53.595695Z","type":"response"}

Expected behavior
Timestamp in audit log as first field

{"time":"2025-08-06T13:52:53.595695Z","auth":....,"request":....,"type":"response"}

Environment:
Vault version: v1.20.2
Previously working version: v.1.15.4 ( or above, I have not tested other above versions )

Additional Context:
Splunk default timestamp processor The default number of characters that the timestamp processor looks into an event is 128
Splunk input.conf By default, the input only performs CRC checks against the first 256 bytes of a file