Okay. I still don't think there's a "nice" answer, but maybe this'll provide some ideas.
One thing you're probably going to want to do is read /etc/syslogd.conf to see where the different syslog facilities/priorities are going. The *standard* for a lot of stuff may be /var/adm/syslog/syslog.log, but it can be changed (and isn't the only location even in a default configuration).
One idea is to collect a bunch of syslogs from different places and go through them. syslogd writes in a specific format and you should be able to pluck out command names.
Things that write there (in a default config) include: syslogd, vmunix, nettl, rpcbind, inetd, xntpd, diagmond, su, cmcld, cmclconfd, cmtaped, telnetd, cmsrvassistd, cmlvmd, Networker daemons. Sorry, those aren't all base OS commands, but while I was at it... ;)
AFAIK, the login command will not write to syslog; it writes to /var/adm/wtmp and (if configured) /var/adm/btmp. The last (successful) and lastb (unsuccessful) commands will read those files. I *believe*, but am not sure, that things using /usr/bin/login are: getty(1m), login(1), telnetd(1m), rlogind(1m). I'm not immediately sure about rexecd and remshd, etc.
HTH.
--M????a
