with grsecurity and "CONFIG_GRKERNSEC_EXECLOG" enabled you'll get the command, args, and remote ip logged like:
May 27 16:21:20 HOSTNAME kernel: grsec: From IP_ADDR: exec of /bin/ls (ls --color=tty -a -l -t --color=none ) by (bash:6321) UID(253) EUID(253), parent (bash:17991) UID(253) EUID(253) This snip is from running: 'ls -a -l -t --color=none'
