Michael Starks published a very interesting blog post on why he uses OSSEC.
Surprisingly, I was getting much more useful information from OSSEC than I did from the commercial HIDs. What OSSEC lacked in presentation, it far made up for in actual useful, actionable information. I got alerts which indicated things I really wanted to know about. And the more I tuned, the more relevant it became. I was expecting to have to make considerable concessions by not using a commercial HIDs; what I didn’t expect was to get far more value for free.
The guys at Hacker Target published a good document on installing OSSEC: http://hackertarget.com/2009/08/ossec-introduction-and-installation-guide/ and Sucuri posted another interesting article showing the benefits of log analysis: http://blog.sucuri.net/2009/08/curiosity-killed-cat.html