The host operating system (VMware ESX) is mostly used for administrative and operational management of the underlying virtual infrastructure. SOX, HIPPA etc are mostly related to the applications that run on the guest operating systems and the compliance measures are the same as if the environment is in physical boxes. As a best practice, I recommend to avoid installing any application on ESX server.
Snare agent: an open-sourced event logs to syslog converter. Works like a charm.
That way, you'll be able to monitor user login in/outs, login failures, etc.
As for user monitoring,
This will make complete reports of user activity.
Hope this helps.
Many people find it convenient to impose SOX logging restrictions on the ESX Server as well as the guests. While some people comment on the guests in this thread, the ESX Server requires some attention as well.
If you have a SOX Linux Team available in your company, contact them, as they have already determined what is necessary. If you do not, at the very least I would to the following:
Restrict Root access.
Give each 'ADMIN' a separate user account in the wheel group
Use SUDO to record everything an ADMIN does. Do not allow anyone
to login directly as root. SUDO records commands in /var/log/messages
Backup the logfiles to tape or send them to your syslog server.