Checkps is a tool that identifies rootkits through detecting discrepancies and fabricated outputs.
Devialog stands out from other systems by making syslog parsing far less troubling than it previously was. It is functionally the opposite of standard log monitoring software. Devialog identifies anomalous logs - meaning errors or informational messages not within its signature base - and reports them through email or commands. Intrusion detection in devialog is behavior-based and signature creation is done automatically with the included utility, devialogsig.
Reporting can be in the form of an email for each anomalous log, an email for all logs sent within a defined window, or a simple writing of all anomalies to a file for periodical review. With devialog, users won't have to worry about manually creating a signature base as signatures can be easily added in the future through a copy-paste process from the alert email.