Hi Nathan
As usual its "horses for courses". If you are using a AAA server (such as ACS) to secure access to your routers - then the best practice is to log both session and command accounting to AAA also.
In that way the ACS server will be logging both succesful and failed login/command authorisation attempts AND the session/command accounting.
All this gets logged to standard CSV files for off-line processing in Excel or rather better... something like extraxi aaa-reports!
syslog, on the other hand, is a fire and forget, non standard and somewhat arcane method of logging. Being UDP its "fire and forget" and therefore not as reliable as TACACS+
SOX now effects most large co's and access to network infrastructure (& hence audit of) is becoming vital.
Darran