Keystroke logging for X windows???
The graphical environment makes it difficult. You must capture the user event streams separately for each application/window, otherwise your log is not going to be very reliable. Remember that the user can use the mouse to switch between applications at any time.
(If you capture the keystrokes for all the windows in one stream, it is easy to trick you: just type "rm -f", switch to another window, type four backspaces and "ls -l", switch back to the first window and add a filename. The log will show you executed "ls -l filename" when you actually did a "rm -f filename".)
If you need auditability, you can get more meaningful results with application-level logging. Analyzing an OS-level log will often be major detective work with uncertain results. With a GUI application, you'd need to figure out what was written into which field and whether the thing under the mouse when the user clicked was "OK", "Cancel" or something else entirely.
A properly-designed logging function in an application might produce a log event "at time T, userid A placed in the system an order for X units of product P for client C"... which would be exactly the kind of information you need.
Keystroke logging is useful if the user interface is simple and strict enough so that the actual event can reliably be reconstructed from the logs. With a GUI environment, this is not necessarily true.
Consider what you're collecting the logs for: is it just to satisfy an abstract bullet point or is it so you can provide a 100% conclusive answer when some authority (big boss, police, government official...) requires it from you?
MK
