A problem with physical honeypots is that it's hard to capture
keystrokes. If the bad guys are using ssh to reach the honeypot (and
they probably are since they tend to be very security-conscious),
sniffing the network doesn't help since that traffic is encrypted.
So, you need to capture keystrokes by running something on the
honeypot. This is problematic since you have to assume that it has
been thoroughly compromised, so the logging mechanism may also have
been compromised.
There are various kernel patches and other kludges (such as an
instrumented bash) to implement tty logging on physical honeypots.
They all suffer from the problem that they can be subverted or
disabled if their presence becomes known to the intruder.
UML solves this problem with a patch to the tty driver which logs all
traffic through tty devices out to the host. In contrast to the
physical honeypot logging mechanisms, this is undetectable and
unsubvertable. It causes no network traffic or anything else which
can be detected from within the honeypot. It's also in the UML
kernel, which means it can't be defeated by anything the intruder
might do.