Does anybody wish to share which specific Red Hat Linux security-related events to look out for (i.e. worthy of a correlation rule or a report), besides authentication events or user account management?
I take it that you are already looking at sudo actions. The other thing you may want to look for are service failures and service/server reboots/restarts. A service restarting or a server rebooting outside of when you would normally expect it to occur.
