SAMHAIN

integrity checking and log file monitoring/analysis, as well as rootkit detection, port

monitoring, detection of rogue SUID executables, and hidden processes.
Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.
Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

but its particular strength is centralized monitoring and management. The

complete management of a samhain system can be done from one central location. To this end, several components are required. A full samhain client/server system is built of the following components:
The samhain file/host integrity checker
The yule log server
A relational database
The Beltane web-based console
The deployment system

be compiled in at the users’ discretion. The following list

shows which modules are currently available.
Logfile monitoring/analysis
Windows registry check
Kernel integrity
SUID/SGID files
Open ports
Process check
Mount check
Login/logoff events

facility can be configured individually.
Central log server. Messages are

sent via encrypted TCP connections. Clients need to authenticate to the server.
Syslog.
Console (if daemon) / stderr.
Log file. To prevent unauthorized modifications of existing log records, the log file entries are signed.
E-mail (built-in mailer). E-mail reports are signed to prevent tampering. It is possible to configure different filters for different recipients.
Database (currently MySQL, PostgreSQL, and Oracle are supported; support for unixODBC is
untested).
Execute external program - this can be used to implement arbitrary additional logging facilities, or to perform active response to events.