The syslog file is commonly sent to a separate server (see /etc/syslogd.conf and the man pages) for security. The rest of the files (wtmp, btmp, sulog, etc) will have to be cron-copied to another server every few minutes. It would be best to use rsync to avoid excessive network traffic.
It is reasonable to require login as a normal user and then su but as mentioned, sudo is MUCH MORE preferred in the security community. The reason is that you can limit the commands allowed for specific users and every command is logged. As far as other users logging in as root, there are some sysadmins (totally paranoid) that do not allow root login ever and enforce this by changing the root password every 5 minutes to another (unknown) random string. Sysadmins must use sudo for all tasks.
As you are seeing, human nature takes over when unreasonable and inconsistent rules make the job intolerable. Users will secretly share passwords, they will wipe out or overlay .sh_history (in case anyone is looking), they will (if alloed) use sudo to run /usr/old/bin/sh which is the Bourne shell to by pass .sh_history but still have root access.
And of course, the auditors have told your managment that additional people are required to check on everything everyday, to read every signed paper about root access for appropriateness, to have regular reviews of all sysadmin tasks, to prepare reports for the auditors and upper management, and if these audits are for SOX compliance, upper management must sign off on all the reports indicating that they understand and approve each task. (they don't? hummmm)
And of course, all these requirements must be applied to a PC-based and mainframe systems too (they aren't? hummmm).
Bill Hassell, sysadmin
