I'm going to suggest a few different tools for alerting, monitoring, and securing your infrastructure.
Tripwire is the standard for File integrity, with OSS competitors like Samhain. File integrity solutions tell you about filesystem and file tampering with cryptographic integrity.
Mod Security is an open source web application firewall commonly used with Apache. A webapp firewall may help in protecting your php applications.
Snort and BRO are free IDS. You can easily obtain these via the free Security Onion. Snort is signature based and Bro is behavior based.
Splunk might be a good log monitoring solution for everything. It comes in both free and commercial versions with changed feature sets. You can use Security Onion in conjunction with Splunk.
Ideally, you want to run your security services on a separate box from the hosts being monitored. Depending on the size of the infrastructure being monitored, this can be a very low end box, or just a Virtual Machine.
If you haven't already, I'd recommend hardening all your infrastructure (network, databases, etc) too. DISA STIG, CIS, NSA SRGs, things like that. You can script a BASH hardening/auditing script to run each day on all hosts, then send you a copy of the encrypted results. A diff later, and you know what changed.
Alternatively, a more modern solution for doing some of the same might include an automatable configuration management solution such as puppet, chef or cfengine.
My pen testing friends love taking one DB weakness into a compromise of an entire host, or network so keep in mind the proactive hardening, least privilege, minimization, and, when all else fails, a good incident response company.
