This is actually an easy answer and is best explained from Windows and Linux.
In WIndows there are a many different authentication events/"event codes" including 680/681, 4768, etc. These values should be stored in the "signature_id" field. The "signature" field is a description of these so would have something like:
for 680, "older Windows login failure"
for 681, "older Windows login success", etc.
See the Windows TA for details.
In linux there is not really a "signature_id" but there are definitely different types of logins so the strings from the audit logs are stored in "signature" so that the different types can be distinguished from one-another.
See the *NIX TA for details.