Red Hat Enterprise Linux and its extended family, Fedora, CentOS, and the rest of the gang, include a fairly new kernel logging subsystem called auditd. auditd has three components: auditctl, ausearch and aureport. auditctl is the auditing daemon, ausearch is a search tool, and aureport is for formatting the data into nice neat columns.
auditd works for any LSM (Linux security module)-based subsystems, such as SELinux. It can record virtually all kernel activity, such as logins, executables, users, file access, syscalls, and any event types from applications that have been designed to send them.
Test-based tools are okay, but graphs are usually better when you need to analyze large globs of logging data. This is a sample of the raw data from /var/log/audit/audit.log:
type=CONFIG_CHANGE msg=audit(1202382129.956:8): audit_backlog_limit=320 old=64 by
21. 02/07/2008 03:05:50 carla :0 ? /usr/sbin/gdm-binary 29 22. 02/07/2008 03:05:50 carla :0 localhost.localdomain /usr/sbin/gdm-binary 30 23. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 31 24. 02/07/2008 03:10:52 carla ? ? /usr/sbin/userhelper 32