Your comments

In addition, to enable the rest of the tabs, we must enable the Remove, which allows the command history to be cleared.... which is problematic for tracking how machines got to their state.

Trying to figure a method to be able to query login events directly for quick and dirty reporting, rather than through a 3rd party (a la Syslog as you laid out).

Thanks Cody - I see it in the web GUI - is there a API method created and documented to be able to call the audit query programmatically yet?