Syslog

Syslogging (ensures you got data even if the box is wiped)

Host anomaly detection

Bacula MD5 save jobs

tripwire

chkrootkit / rkhunter (minimum protection of system environment, rootkit detection)

OSSEC Client

Central IDS

OSSEC

Snort (or newer, faster...)

Professional monitoring

i.e. Symatec (shudder) or R.B.

Sensors

TAPs / SPAN

Setting up honeypots (anybody accessing this system needs to be in high risc class)

IPSĀ 

What to do with your IDS data

Ressource allocation

Understand these things are to be continually monitored and require dedicated manpower to handle. So you need to decide how much time you can put into them and plan by it.