First level: simply create audit trail of gross application events, like starting a service, closing an application, etc.
Second level: intra-app events.
Third level: keyboard and mouse (input) audit.
Combine with a time machine style storage snapping.
