Some thoughts ..
I'm not sure how paranoid I should be able false-positives now, (I accept false-negatives easily enough).
Using node.js is pretty good for making toy servers, and on that basis here's another toy server:
This is a small server which is designed to accept HTTP-POSTs containing a payload of a message, these are stored and later retrieved. Seems like a simple thing, right? Imagine how it is used:
root@server1:~# record-log Upgraded mysql root@server2:~# record-log Tweaked /etc/sysctl.conf root@server3:~# record-log Added user 'bob' root@server3:~# record-log Added user 'steve'
root@server3:~# get-recent 18.104.22.168 2013-09-28T08:08:09.211Z root:Added user 'bob' 22.214.171.124 2013-09-28T08:08:10.211Z root:Added user 'steve'
In short it makes it easy to record "activity", and later retrieve it. A host can only fetch the entries it stored, but if you've got access to the remote server then you can get all logs.
I suspect a more standard solution is to use syslog-ng, and logger, or similar. But it is a cute hack and I suspect if you've the discipline to record actions then this is actually reasonably useful.