SCO is bad, devialog is good. Check out devialog, an anomaly / knowledge-based syslog intrusion detection system (ids) here: http://devialog.org/