Log Collection
syslog
Splunk
ELK
Tools
rkhunter
OSSEC
aide
tripwire
mtree
Filesystem
inotify
fanotify
package managers
YARA
find
hashes https://blogs.tensult.com/2018/04/24/fim-and-siem-with-ossec/
Execution
shell histories
netlink
auditd
Memory
/proc
Volatility
avml https://github.com/microsoft/avml
Network
HASSH
JA3
iptables
System Calls
dtrace FreeBSD, Solaris
SystemTap Linux
*nix malware 