Using CentOS 6.3 but will want to do the same on other flavors like Ubuntu and Debian.

Trying to capture information entered in a ssh session. Works great for login: root
Do not work so well for su or login as a general user.

Login as Root output:
aureport --tty
1. 09/05/2012 10:14:01 20776 0 ? 1416 bash "ls",<ret>
2. 09/05/2012 10:14:08 20780 0 ? 1416 bash "exit",<ret>

Great: One command per line.

su output:
aureport --tty
31. 09/05/2012 10:36:47 20977 0 ? 1417 bash "su mike",<ret>
32. 09/05/2012 10:36:51 20983 0 ? 1417 bash "ls",<ret>,"ls",<ret>,"exit",<ret>

Not so good. All commands in one entry.

login as a general user output:
34. 09/05/2012 10:37:10 21012 500 ? 1427 bash "ls",<ret>,"ls",<ret>,"pwd",<ret>,"mdc",<ret>,"exit",<ret>

Not so good. All commands in one entry.

What am I missing? What do I need to do to get one command per entry (like the root case) vs. all commands in one entry?

Below is the sshd pam config file. Do I need to modify other files as well like: su, login, etc.?

I have also noticed if I try to use: enable=* it does not work for ALL users. I must specify the user list: enable=root,mike
Any thoughts?

sshd pam.d file:
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_tty_audit.so enable=root,mike
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

Thanks,
Mike