Thinking about this, I'm wondering if I could take the time stamp from a config (change occurred and we pulled an updated config for RTN), select messages from the syslog db that have a near matching time stamp and parse those messages only to find user information. I might be able to narrow it further by using the combination of time stamp and node ip to select messages.
Another approach would be to either forward or log the messages somewhere through the alert as the messages come in and compile the results as needed.
Any thoughts on either of these approaches?