From OSSEC Wiki

Optimization of OSSEC HIDS to fully integration with FreeBSD systems

• All the rules was tested in FreeBSD 6.1

log analysis

/var/log/userlog

Include this rules in syslog_rules.xml, in the <!-- Adduser messages --> section

<rule id="5905" level="8">
   <regex>[\w+:useradd] \w+\(\d+\)</regex>
   <description>User add to the system (FreeBSD)</description>
 </rule>

 <rule id="5906" level="8">
   <regex>[\w+:userdel] \w+\(\d+\)</regex>
   <description>User delete to the system (FreeBSD)</description>
 </rule>

 <rule id="5907" level="8">
   <regex>[\w+:groupadd] \w+\(\d+\)</regex>
   <description>New group add to the system (FreeBSD)</description>
 </rule>

 <rule id="5908" level="8">
   <regex>[\w+:groupmod] \w+\(\d+\)</regex>
   <description>Group modified in the system (FreeBSD)</description>
 </rule>

IPFW firewall