Linux monitoring is deceptively difficult. The most common tools for performing monitoring - the Linux audit system, log journals and syslog sources - are all, at best, standardized by Linux distribution, and at worst, unique per host in an enterprise environment. File-based logging can be spoofed by intruders, while kernel-based subsystems have performance issues. Many hosts will often be under low latency or high performance requirements, either due to cost saving measures on equipment, or due to an application that sees high utilization.There are few strong solutions today that don't leave gaping holes for intruders to achieve their low resource usage.