Only problem with the /var/log/messages file is the size and  the number of saved revisions, which defaults to 64KB and 4 files. This can be easily adjusted with the command:

      /bin/log_start limit 0 8388608 10

This will set the filesize to 8MB and the number of files to 10.

you could use the followinf command to display all login and logout entries:

      cat message* | grep User

Or configure syslog server and send all syslog messages to it for further checks and better solution (filtering based on facility or severity).

And maybe customize syslog as per sk92798 might be useful?

Possibly, but I'm not sure how: The solution does allow for creation of additional syslog facilities and adjustments to the logs written to those, but I do not know how to specify which facility will be writing those messages to the CPlog.

If i have time, I'll test in my VM lab environment.

Thanks! Let us know what you'll find out.

That works partially. Just added a line to /etc/syslog.conf

user.info                       /var/log/messages

Log in is logged (log out as well)

Time:                   2018-08-09T06:17:57Z
Id:                     0a012804-8d8e-b307-5b6b-f8b500280000
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <86>sshd[12082]: pam_unix(sshd:session): session opened for user admin by (uid=0)
Facility:               security/authorization messages
Syslog Severity:        Informational
Product Category:       OS
User:                   admin
Login Status:           succeeded
Action:                 Log In
Type:                   Log
Blade:                  Linux OS
Origin:                 gw
Product Family:         Network

and i see clish activity, for instance when deleting a route

Time:                   2018-08-09T06:18:26Z
Id:                     0a012804-8d0e-b407-5b6b-f8d20018000e
Id Generated By Indexer:true
First:                  true
Sequencenum:            2
Default Device Message: <13>clish[12138]: cmd by admin: Processing : set static-route 1.2.3.4/32 nexthop gateway address 1.1.1.1 off (cmd md5: 95155c9669bb592dc869622678b8c821)
Facility:               user-level messages
Syslog Severity:        Notice
Type:                   Log
Blade:                  Syslog
Origin:                 gw
Product Family:         Network
Description:            

but i don't see expert level activity. Just set an interface down using ifconfig and up again and nothing is displayed in syslog/SmartLog.

Don't know if more can be enabled, was just a quick test, cause i was interested.

Is there a way to search SmartConsole for specific changes? For example, I changed a DNS entry via Gaia web and I can see it logged in SmartConsole, but I can't return the specific log via any kind of specific search -- i.e. my username, or "DNS" or anything really.