Skip to content

Choosing a SIEM

  • hosting
  • server
  • servers
  • infrastructure
  • siem

What is a SIEM?

Security information and event management (SIEM): used to monitor fleet deployment and be able to respond to threats.

Open Source Tools

ELK provides somewhat of a SIEM with their fleet management. I tried it once, and at first it was great, but then it had a lot of issues with my windows gaming pc and things went wonky due to slow disk performance.

Wazuh is on the surface. Cursory searching of reddit seems to show it's kind of based on ELK (Though can use other providers)

Security Onion seems to get mentioned a lot when looking at Wazuh, as Wazuh is supposed to come with Security Onion. I just figured out Security Onion is a full on probably Linux Distro (maybe bsd?).

UTMStack These guys have activity in social media (Reddit at least) in posts that talk about Wazuh and SO and it comes up often. On the surface it seems like a very nice solution. I like the idea of federated instances to relieve the stress of scaling a little bit.

Current Status

Wazuh is running with a whole bunch of agents now. It's fun to go through and see the things it considers security problems or see what complaints it has about the systems. It helped me tighten up my windows server install, and allows me to monitor vm's, docker / podman containers, and even network traffic with another programs assistance. If I detect a lot of malicious traffic with it, I can use it to drop traffic from the offending ip's (assuming things are configured correctly along the stack) to make it harder to attack any service.