The auditd log is what captures those events in Linux, and LEM has a reader for the auditd.log. The only trick is that different distros may move auditd.log around or change the name, so you'll have to make sure you specify the correct path and file in the connector configuration.
In Centos 7 it's in /var/log/audit/audit.log, for example.
