SIEM — Wazuh, Graylog, Security Onion
Open-source SIEMs and the cloud-native paid alternatives.
A SIEM ingests events, correlates, alerts, and stores logs for investigation. Open-source SIEMs caught up to commercial in 2023–26: Wazuh became the de-facto FOSS choice, Security Onion bundles a working IDS+SIEM stack, Graylog Open is the operationally simpler option. For raw log shipping see Log Aggregation. For IR workflow on top of SIEM see Incident Response (TheHive). For detection content see Detection (Sigma / YARA / ATT&CK). For endpoint EDR see EDR / OSQuery.
Open-source SIEMs
- ★ ★ Wazuh — open-source SIEM + XDR + HIDS; agent-based + agentless; OpenSearch backend; built-in CIS / PCI / GDPR / NIST / HIPAA dashboards; FIM, vuln detection, log correlation, MITRE ATT&CK mapping. Free OSS — the 2024–26 default for "we need a SIEM and have no budget."
- ★ Security Onion — Linux distro that bundles Suricata + Zeek + Wazuh + ElasticSearch + TheHive + CyberChef; "SIEM in a box." Free.
- ★ Graylog Open — log management built on OpenSearch; cleaner UX than ELK; free OSS with paid enterprise tier (alerting, archiving, audit log).
- ELK Stack (Elasticsearch + Logstash + Kibana) — the historical default; free under SSPL again 2024.
- OpenSearch + OpenSearch Dashboards — Amazon's permissive ELK fork; the actual OSS path forward.
- Quickwit + Vector — modern stack focused on log search; cheap to run.
- VictoriaLogs — VictoriaMetrics's log store.
- OSSEC (legacy) — Wazuh's predecessor; archive-only really.
Cloud-native SIEM (paid)
- Microsoft Sentinel — Azure-hosted SIEM; KQL-driven; deep M365 / Defender integration; pay-per-GB ingest. Strong in MS-shops.
- Google Chronicle (now Google SecOps) — paid; flat-rate by data volume; UDM normalisation.
- Datadog Cloud SIEM — paid; integrates with Datadog observability.
- Panther — paid; detection-as-code (Python rules); great for engineers.
- Devo — paid.
- Sumo Logic Cloud SIEM — paid.
- CrowdStrike Falcon LogScale (Humio) — paid; query speed champion.
- Splunk Enterprise Security — paid; the legacy heavyweight; pricey.
Splunk specifics
- Splunk Free — limited to 500 MB/day; functional for tiny use cases.
- Splunk Enterprise / Cloud — the standard; expensive but pervasive.
- Splunk Boss of the SOC (BOTS) — free dataset for blue-team training; see Security Training Platforms.
Log shippers (link)
- See Log Aggregation: Vector, Fluent Bit, Grafana Alloy, OTel Collector, Filebeat, rsyslog.
Detection content layer
- See Detection (Sigma / YARA / ATT&CK) — Sigma rule format, sigma-cli, sigma2splunk / sigma2elastic / sigma2sentinel converters.
- Hayabusa / Chainsaw / Zircolite — Sigma-against-Windows-event-logs accelerators; brilliant for one-shot triage and SIEM rule prototyping. See DFIR (Velociraptor).
Architecture patterns
Open-source default 2026:
- Wazuh agents on every endpoint → Wazuh manager → OpenSearch → Wazuh Dashboards.
- Suricata + Zeek for network telemetry → ingest into Wazuh.
- TheHive + Cortex for IR workflow on alerts.
Cloud / hybrid:
- Native cloud trails (CloudTrail / Activity Logs / Audit Logs) → Sentinel or Chronicle.
- Endpoint via Defender / CrowdStrike / SentinelOne.
Engineering-focused:
- Panther's detection-as-code; rules are Python / YAML in a Git repo with PR review.
Common pitfalls
- ★ Ingest sticker shock. Splunk / Sentinel / Datadog scale linearly with $$. Sample, filter, and tier-cold early.
- Alert fatigue. Rules without tuning bury real findings.
- No retention plan. SIEMs at 30-day default lose investigations beyond a month — pick warm/cold tiers (S3, Glacier, OpenSearch Cold) up front.
- Detection coverage drift. Without ATT&CK mapping you don't know what you're missing.
- No agent on the right hosts. SIEM is only as good as its sources.
What to log first
- Auth events (success + fail).
- Privileged commands / sudo.
- Process execution (Sysmon, OSQuery, Wazuh).
- Network connections from servers.
- DNS queries (often the easiest C2 signal).
- File integrity on critical paths.
- Cloud control-plane events.
- Endpoint script-block / PowerShell logging.
Pick this if…
- Default OSS SIEM 2026: Wazuh.
- One-disc bundle (lab / SMB): Security Onion.
- Low-ops log management: Graylog Open.
- MS-heavy environment: Microsoft Sentinel.
- Detection-as-code workflow: Panther.
- Splunk shop: stay; pay; tune ingest.
- Need IR workflow on top: add TheHive + Cortex (see Incident Response).