You do not need auditing.
All system access should go through PAM. The standard PAM logging is already a (wrong) comment in /etc/syslog.conf:
Activated it looks like this:
auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)
Caution, the big space consists of TABs!
kill -HUP or reload/restart the syslogd.
It makes sense to add a rotation to /etc/logadm.conf, for example:
authlog -C 4 -a 'pkill -HUP syslogd' /var/log/authlog
Being in /etc/logadm.conf - I recommend to also rotate wtmpx (for the last
command):
/var/adm/wtmpx -C 12 -c -p 1m -s 10m