Swatch was originally written to actively monitor messages as they were written to a log file via the UNIX syslog utility. It has multiple methods of alarming, both visually and by triggering events. The perfect tools for a master loghost. It is known to work flawlessly on Linux (RH5), BSDI, and Solaris 2.6 (patched).
The sysstat package contains the sar, sadf, iostat, nfsiostat, cifsiostat, mpstat, and pidstat commands for Linux. The sar command collects and reports system activity information. The statistics reported by sar concern I/O transfer rates, paging activity, process-related activites, interrupts, network activity, memory and swap space utilization, CPU utilization, kernel activities, and TTY statistics, among others. The sadf command may be used to display data collected by sar in various formats. The iostat command reports CPU statistics and I/O statistics for tty devices and disks. The pidstat command reports statistics for Linux processes. The mpstat command reports global and per-processor statistics. The nfsiostat command reports I/O statistics for network filesystems. The cifsiostat command reports I/O statistics for CIFS filesystems.
Systraq sends you a daily email listing the state of your system. If critical system files or user access files (e.g. ~/.ssh/authorized_keys) have changed, you'll get an email within a shorter notice. It consists of few very small shell scripts. It can help you implement a (not too strict) security policy.
Tailbeep opens a file (-f), seeks to the end, and watches for a string (-s). If the string is found, a beep is sent to the specified tty (-t) device. You can also daemonize (-d) it. It was written to watch /var/log/messages for the DENY string (to catch anyone trying to break into a firewall), but you can use it to watch any open file that gets appended to. You can also create a log if you like, so you can record the events, in long or short mode. Tailbeep requires write access to one of the tty devices on the console.
The tcp_wrappers package allows you to monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. It provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service. The wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications.
Tcpblocker is for sites that want to limit the number of times an IP address can connect to a tcpserver controlled service like SMTP within a time period. Each time tcpblock runs, it counts how many connections were made per client IP. If an IP exceeds the configurable maximum number of connections within the configurable time period, then tcpblock outputs a standard deny line that can be used to build a tcp.smtp style file. Combined with a cron job and a run script, tcpblocker can be configured to fit into just about any qmail or tcpserver installation.