Whether you want to monitor a single machine or a whole server farm, Samhain is up to the task. With its built-in client/server architecture, powerful logging abilities, and versatile modular structure, it can scale to hundreds or thousands of monitored hosts.
Scalability: Clients pull their baseline databases and runtime configuration from the server when they start up. There are no repetitive downloads. Also, clients perform file integrity verification on their own and only report policy violations back to the server. This avoids both unneccessary traffic as well as bogging down the server with heavy workload.
Security: Local intruders cannot tamper with the baseline database or configuration, which are kept on the server. Client/Server connections are encrypted and authenticated. With OpenPG signed baseline databases and configuration files, an intruder on the server host cannot compromise the validity of file checks performed by clients.
Versatility: Samhain provides a large range of logging facilities, including eMail, syslog, (signed and tamper-resistant) log file, SQL databases (Oracle, MySQL, PostgreSQL), Prelude support, as well as invocation of external programs. Different log facilities can be used in parallel and support individual and seperate message filtering.
Flexibility: Samhain comes with many modules to perform various monitoring tasks, such as checking for open ports, hidden processes (possibly installed by some rootkit), mounts and mount options, or rogue SUID/SGID executables. There is also a module for logfile analysis.
There is a User Forum where you can ask for help or discuss new features or problems related to samhain. There are also two Mailing Lists, one of them (samhain-announce) for the announcement of new releases, the other (samhain-users) for receiving by e-mail any postings in the Samhain User Forum.