This is an auditd based ruleset for carefully monitoring user accounts. Useful when ensuring that service accounts aren't being used interactively, for example a www-data type user
Take a look at audisp-json and consider streaming into logstash
Just look at all of the files in the repository, they are placed as they would need to be if on a system. And of course, build and install audisp-json ...