Security Information and Event Management (SIEM) software is a tool that provides a single centralized platform for the collection, monitoring, and management of security-related events and log data from across the enterprise. Because a SIEM correlates data from a wide variety of event and contextual data sources, it can enable security teams to identify and respond to suspicious behavior patterns more effectively than would be possible by merely looking at data from individual systems.
Here is our list of the six best free open-source SIEM tools:
- AlienVault OSSIM EDITOR’S CHOICE This is one of the oldest SIEM systems around but it is very well supported by AT&T, so it is still being improved on solid, reliable code that has been extensively tested in the field. Runs as a virtual appliance.
- ELK Stack A free suite of data collection, sorting, and visualization tools that let you create your own SIEM threat detection rules. Available for Windows, Linux, and macOS.
- OSSEC This tool has good threat detection routines but weak log management functions so splice it with ELK Stack for the best of breed. Agents available for Windows, Linux, macOS, and Unix but the server only runs on Linux or Unix.
- Wazuh A fork of OSSEC that has better logfile management services than the original and relies on ELK. Runs on Linux.
- MozDef A basic SIEM for small businesses that integrates ELK Stack. Run it on Docker or CentOS Linux.
- SIEMonster A competent SIEM for small businesses with a paid version for larger organizations. Runs on Docker, Linux, and macOS, or as a virtual appliance.
Security is achieved via a combination of prevention, detection, and response efforts. However, it appears most security failures these days are more of detection and response than prevention, and this is where SIEM comes into play. A SIEM solution provides a great opportunity for organizations to manage their security issues, especially in the area of incident detection and response, insider threat mitigation, and regulatory compliance.
Open Source SIEM Tools
Cost no doubt plays a major factor in most IT decisions. For SMBs, investing in enterprise-grade SIEM tools can be capital intensive. The option of open-source SIEM software has become increasingly popular and adopted by businesses both in the public and private sector. Open source SIEMs have matured considerably over the years and provide basic capabilities that can suit the needs of SMBs that are starting to log and analyze their security event information. It helps to reduce licensing costs and provides an opportunity to evaluate certain capabilities before extending investments to premium products. While it can’t provide the comprehensiveness of enterprise-level solutions, open-source SIEM does offer solid functionality at an affordable rate. This makes it appealing to SMBs and other organizations looking to minimize cost.
Of course, open-source SIEM solutions also have their drawbacks, so it is important to look at some of the downsides associated with them. Listed below are some of the downsides associated with open-source SIEM tools:
- There’s a possibility that the open-source software may not always be available: When the community behind maintaining and updating the source code goes out of business, you may be left to bear the burden of maintaining it yourself. You may save money on licensing costs but may end up spending more on continual maintenance.
- Support isn’t always available or reliable: With open-source software, support isn’t always guaranteed, and if there is, it would be bereft of the benefits associated with SLA kind of support.
- Because of the massive amount of aggregated data, most open-source SIEMs don’t provide or manage storage. They may have to combine open-source SIEM with other tools to realize expected benefits.
- Many open-source SIEM solutions lack key SIEM capabilities, such as next-generation capabilities, reporting, event correlation, and remote management of log collectors.
Premium Enterprise SIEM Tools
While the main driver for the adoption of open-source SIEM is reduced license costs, it is important to highlight the fact that license costs are only a fraction of the total cost of ownership of a SIEM solution, especially when other factors like hardware, storage, and human capital are considered. If you are planning on adopting an open-source SIEM software, it’s advised that you carefully consider the pros and cons, and be prepared to accept the risks associated with them.
However, premium enterprise SIEM solutions offer better configuration and installation processes, correlation and reporting capabilities, machine learning and SaaS options, reliable vendor support, and many other useful functionalities. They enable organizations to monitor large-scale data center activities and centrally manage the security of key applications and network infrastructure. Perhaps most importantly, only enterprise SIEM platforms provide options for on-premise or cloud deployments and the capabilities of next-generation SIEM. Next-generation enterprise SIEMs come with powerful technologies such as User and Event Behavior Analytics (UEBA) and Security Orchestration, and Automation and Response (SOAR)—which significantly improve the effectiveness of incident detection and response efforts.
We have reviewed and documented some of the best enterprise-grade premium SIEM tools in the market. Some of them such as the SolarWinds Security & Event Manager (SEM) and the ManageEngine EventLog Analyzer offer free trials, which provides an opportunity to evaluate certain capabilities before deciding to invest in the product.
Notwithstanding, premium enterprise SIEM tools are not cheap and most businesses may not be able to afford them. This is where open-source SIEM tools stand out. With a variety of open-source SIEM out there, choosing the right one for your business can be challenging. What fits perfectly from a feature and functionality standpoint for one organization may not fit for another. To help you decide between the countless free and open-source SIEM tools on the market, we’ve put together a list of the six best open-source SIEM software. Hopefully, this will guide you in the process of selecting the right one for your business.
Our methodology for selecting a free SIEM system
We reviewed the market for open-source SIEM tools and analyzed the options based on the following criteria:
- Log forwarding to collect log messages from different sources
- Log message consolidation to standardize formats
- Log file management
- A live data feed from SNMP or another network protocol
- Anomaly detection
- A free service that can fully implement SIEM, not a demo package
- A competent SIEM that fully competes with paid rivals
Using this set of criteria, we looked for reliable SIEM systems that have been proven to work in detecting intruders and insider threats.
The Best Open-Source SIEM Tools
1. AlienVault OSSIM
The Open Source SIEM (OSSIM) software by AT&T Cybersecurity, prides itself as the world’s most widely used open-source SIEM. OSSIM leverages the power of the AT&T Open Threat Exchange (OTX)—which provides open access to a global community of threat researchers and security professionals; thereby allowing users to both contribute and receive real-time information about malicious activities. AT&T provides ongoing development and maintenance for OSSIM.
Features and capabilities include:
- Asset discovery and inventory
- Vulnerability assessment
- Intrusion detection
- Behavioral monitoring
- SIEM event correlation
Why do we recommend it?
AlienVault OSSIM is a long-running free open-source SIEM. The project has been running since 2003 and it relies on a companion system of automated threat reporting called the AlienVault Open Threat Exchange (OTX). The AlienCault company managed the open source project and set up a paid product, called USM Anywhere, in part to aid the funding of the OSSIM project. The AlienVault company was taken over by AT&T in 2018 but the original pricing structure of the free OSSIM and OTX alongside the paid USM Anywhere is still in place. So, this is a very well-managed, fully funded, free, open source product, which is well worth trying.
OSSIM includes key SIEM components such as event collection, normalization, and correlation.
Who is it recommended for?
Anyone can benefit from installing OSSIM and taking part in the OTX project. The fact that the tool is free to use and will run on standard office computers running macOS or Windows makes it very accessible. The tool takes time to learn. However, any small business owner needs to get up to speed with cybersecurity requirements and the learning process for the AlienVault system provides a good framework for that quest. Large companies are more likely to be attacked and dedicating a member of staff to become a specialist in the AlienVault system gives additional protection against external threats. Even if you already have your preferred SIEM system for internal threat detection, this tool is worth considering as an additional security measure.
- Available for Mac and Windows
- Can scan log files as well as provide vulnerability assessment reports based on devices and applications scanned on the network
- User powered portal allows customers to share their threat data to improve the system
- Uses artificial intelligence to aid administrators in hunting down threats
- Would like to see a longer trial period
For organizations looking for a credible open-source alternative to enterprise-grade SIEM tools, OSSIM offers the chance to experience core SIEM functionalities without spending so much on license costs. OSSIM can be deployed on-premises either on physical or virtual environments, but installation is limited to a single server only. Community support is provided via product forums. OSSIM is available for download here.
However, the downside of this open-source tool is that it can be a bit difficult and laborious to set up and customize especially in Windows environments. It also has limited log management, application, and database monitoring. For organizations that are looking for a more complete SIEM solution, AlienVault Unified Security Management (USM) is a cloud-hosted service that delivers additional functionality that provides everything needed for effective threat detection, incident response, and compliance management.
AlienVault OSSIM is our top pick for a free open-source SIEM tool because it is the original SIEM – created before the term “SIEM” existed. This package is still free to use but its maintenance and development is fully funded by AT&T Cybersecurity. The combination of ingenuity, long-running experience, and deep pockets makes OSSIM a service that fully competes with paid tools. The combination of OSSIM with its partner system, the Open Threat Exchange (OTX) makes this a comprehensive system that can identify new threats as well as old attack strategies.
Official Site: https://cybersecurity.att.com/products/ossim/
OS: Virtual appliance
2. ELK Stack
The ELK Stack (Elastic Stack) is the world’s most popular log management platform and open-source building block for SIEM. The ELK Stack is popular because it fulfills a key need in the SIEM space. It provides organizations with a powerful platform that collects and processes data from multiple sources, stores that data in one centralized data store that can scale as data grows, and a set of tools to analyze the data. The ELK Stack is developed, managed, and maintained by Elastic.
- Modular suite
- Good log aggregator and file manager
- Adaptable frontend
- Make your own threat detection rules
Why do we recommend it?
The basic ELK stack is a flexible data-gathering and analysis tool. The elements of the suite can be downloaded individually for free and then you need to assemble your own SIEM from it. This can be a difficult task because you need to process log messages through Logstash, create search rules in Elasticsearch, and then work out how to represent the identified data through Kibana and how to generate alerts with the system. This process takes a lot of time to learn the capabilities of ELK and how to program with it, how to plan a SIEM tool, and then to implement your own custom SIEM with the package.
- Logstash is a log aggregator and parsing tool that collects and processes data from a variety of sources. Logstash plays a critical role in the stack—it allows you to filter, massage, and shape your data in a way that makes it easier to work with.
- Elasticsearch is the storage, full-text search, and analytics engine for storing and indexing time-series data. Its role is so central that it has become synonymous with the name of the stack itself.
- Kibana is the visualization layer that works on top of Elasticsearch, providing users with the ability to analyze and visualize data.
- Beats are lightweight agents that are installed on edge hosts and are responsible for collecting and shipping the data into the stack via Logstash.
Who is it recommended for?
The free ELK Stack is an interesting package and it is in high demand, so individuals who can master the system can use the tool to create a range of applications, not just a SIEM system. It takes a lot of time to manually create a SIEM with the free tools of the Elastic Stack, so for many businesses, it is worth the price of subscribing to the paid packages offered by Elastic. These provide pre-written templates that implement a SIEM and also provide IT asset performance monitoring. A business of any size needs to assess the cost of training up a specialist in ELK and financing the development phase using the free tools against the cost of subscribing to the paid package of ELK.
- Setup is straightforward and simple
- The scripting language is easier to learn than some similar tools on the market
- Massive community-backed support and plugins
- Supports both cloud and on-premise deployments
- Would like to see a longer trial period for testing
ELK can be installed locally on-premises, or on the cloud, using Docker and configuration management systems like Ansible, Puppet, and Chef. For organizations that want to completely avoid investments in onsite infrastructure and human capital, there’s a ready SaaS-based cloud platform called Elastic Cloud (with a 14-day free trial) which includes features such as machine learning, security, and reporting managed by the creators of the stack.
Open Source Security (OSSEC) is an open-source security project for cybersecurity founded in 2004. This open-source tool is technically known as a host-based intrusion detection system (HIDS). However, OSSEC has a log analysis engine that is able to correlate and analyze logs from multiple devices and formats, thereby enabling it to function as a SIEM. You can tailor OSSEC to meet your SIEM needs through its extensive configuration options.
- Works well with ELK
- Threat detection rules
- Adaptable for different source data feeds
Why do we recommend it?
In the world of open-source security, OSSEC is the major brand rival to AlienVault OSSIM. This project has been running since 2004. The project is currently managed by Atomicorp, which offers paid additions to the free OSSEC, but the base package is still free to use. OSSEC is a host-based intrusion detection system (HIDS). This is part of a SIEM – the SIM part – because a full SIEM also includes live network activity data as a source for its security searches, which is the SEM of SIEM. The free tool provides a system inventory, log processing, file integrity monitoring, and intrusion detection. It can also be set up to implement automated responses.
OSSEC is supported by various operating systems, such as Linux, Windows, macOS, Solaris, as well as OpenBSD and FreeBSD. It is broken into two main components:
- The server—responsible for collecting log data from different data sources.
- The agents—applications that are responsible for collecting and processing the logs and making them easier to analyze.
In addition to its log analysis capabilities, OSSEC provides intrusion detection for most operating systems and performs integrity checking, Windows registry monitoring, rootkit detection, and alerting.
Who is it recommended for?
Even without the paid extras, OSSEC is a useful tool to have. It is easier to set up than OSSIM and it provides a few more file management features than its major rival. With a little work, you can feed SNMP or NetFlow data into the system and make it a full SIEM. If you don’t have time to do that, you can opt to pay for the Atomic OSSEC system to get that functionality added automatically. When considering the paid OSSEC, you are into the field of commercial SIEM products and you should consider the rivals in that market, particularly next-gen SIEMs, which we outline in 7 Best Next-Gen SIEM – Updated 2023.
- Can be used on a wide range of operating systems, Linux, Windows, Unix, and Mac
- Can function as a combination of SIEM and HIDS
- The interface is easy to customize and highly visual
- Community-built templates allow administrators to get started quickly
- Requires secondary tools like Graylog and Kibana for further analysis
The OSSEC project is currently maintained by Atomicorp who stewards the free and open-source version and also offers an enhanced commercial version. However, the main pain point of this tool is that it lacks some of the core log management and analysis components of a typical SIEM. This limitation motivated other HIDS solutions like Wazuh to fork OSSEC in order to extend and enhance its functionality and make it a more complete SIEM tool. However, in recent times, Atomicorp has made a lot of changes, upgrades, and enhancements to OSSEC, which has repositioned it to be more competitive.
Wazuh is a free, open-source project for cybersecurity founded in 2015 as a fork of OSSEC. Just like OSSEC, this open-source tool is technically known as a Host-based Intrusion Detection System (HIDS). Today, Wazuh stands as a unique solution with over 10,000 open-source community users, including top Fortune 100 companies. Wazuh describes itself as “a free, enterprise-ready security monitoring solution for threat detection, integrity monitoring, incident response, and compliance”.
- Integrates ELK
- Log aggregator
- Large community
Why do we recommend it?
Wazuh is a nice blend of both OSSEC and the ELK stack – both of which are outlined above. The Wazuh team forked OSSEC and then implemented it with the free on-premises version of the Elastic Stack. The tool is free to use but, like the other open source projects on this list, there is a paid version available, too. The main difference between the free and paid Wazuh is that the paid version is a hosted cloud platform. Wazuh’s big advantages over OSSEC are that it is a full SIEM and it includes an open-source threat intelligence feed, which is similar to the AlienVault OTX service.
The main components of Wazuh are the agent, the server, and the Elastic Stack:
- The Wazuh agent is a lightweight app designed to perform a number of tasks to detect and respond to threats.
- The Wazuh server is in charge of processing and analyzing the data received from the agents, and using threat intelligence to search for known indicators of compromise.
- The Elasticsearch component of the Elastic Stack receives, indexes and stores alerts generated by Wazuh. The Kibana component of the Elastic Stack provides a user interface for data visualization and analysis.
Wazuh is used to collect, aggregate, analyze, and correlate data; helping organizations detect and respond to threats and security incidents, as well as meet compliance requirements without spending so much on license cost. It can be deployed on-premises, hybrid, or cloud environments. It has a centralized, cross-platform architecture that allows multiple systems to be easily monitored and managed.
Who is it recommended for?
Wazuh is a newer, slicker product than OSSEC. However, it is not as well-known as its older rival. The free Wazuh system is easier to set up and use than either OSSEC or OSSIM and its dashboard is a lot more attractive. This is a well-planned and efficient system that provides performance monitoring and file integrity monitoring as well as threat hunting. Although this tool can collect data from all the major on-premises operating systems and also cloud platforms. The problem that some businesses will face when opting for the free on-premises version of the Wazuh system is that the three central elements of the package are only available for Linux. So, if you only have Windows computers on your site, you would be forced to opt for the paid cloud version or look elsewhere for an open source SIEM.
- Is a lightweight fork of OSSEC
- Integrates into platforms like ELK for a simpler workflow
- Using a range of technologies to identify indicators or compromise
- Supports in-platform data visualization
- Is fairly comprehensive and can take time to fully understand/explore
A cloud-based premium version known as Wazuh Cloud is also available. Wazuh Cloud centralizes threat detection, incident response, and compliance management across your cloud and on-premises environments. Wazuh Cloud uses lightweight agents that run on monitored systems to collect and forward events to the Wazuh cloud infrastructure, where data is stored, indexed, and analyzed.
The Mozilla Defense Platform (MozDef) is a set of micro-services that can be used as an open-source SIEM. It was created by the Mozilla Foundation in 2014 with the goal of automating the security incident handling process and facilitating the real-time activities of incident handlers, according to the MozDef docs.
- Integrates with ELK
- Log consolidator
- Remediation orchestration
Why do we recommend it?
MozDef is a product of Mozilla, which is a recommendation in itself. The Mozilla Foundation uses this SIEM system itself, which is another good reason to recommend this tool. The MozDef package solves the problem of how to set up a SIEM system using the ELK stack. Essentially, this tool provides the data search rules for you – these are executed in Elasticsearch. The package also provides you with the connectors to get the search results shown in Kibana. So, this cuts out all of that learning time that you would need to invest if you want to create a SIEM with the Elastic Stack.
MozDef describes itself as a SIEM add-on that uses Elasticsearch for logging and storing data, and Kibana for dashboarding capabilities. This means that if you use MozDef for your log management, you can easily leverage the features of Elasticsearch to store, archive, index, and search event data using Kibana.
The MozDef architecture is designed in a way that does not allow log shippers (rsyslog, syslog-ng, beaver, nxlog, heka, logstash) direct access to Elasticsearch. Rather, MozDef places itself between Elasticsearch and the log shippers, thereby making it possible for log shippers to interact directly with MozDef as shown in the diagram below. This makes MozDef different from other log management tools that use Elasticsearch and enables it to provide basic and advance SIEM functionalities such as event correlation, aggregation, and machine learning.
Who is it recommended for?
Organizations that want to avoid commercial software systems will struggle to create top-level security systems out of the packages that are available for free, so the combination of the Elastic Stack with MozDef is a Godsend. The ELK system is very useful but you need to train up in how to use the tool. The MozDef service gives you all of the pre-written searches and display widgets that you would otherwise have to pay out for by going for the paid version of ELK. Small businesses, associations, and not-for-profit organizations will appreciate the freedom from corporate products that MozDef gives them.
- Runs as a lightweight microservice
- Focuses heavily on automated remediation
- Leverages a lot of ELK functionality for data search and indexing
- Is more of a SIEM add-on than a standalone product
If you’re looking for a tool that provides basic SIEM functionalities, MozDef is surely a good fit. However, don’t expect it to meet your every need as it doesn’t have a lot of functionality. It is best suited for SMBs but not for corporate environments. The main pain points of this tool are that getting it up and running can be time-consuming and technically demanding. It also lacks high availability options, and key reporting and compliance capabilities.
SIEMonster is a customizable and scalable SIEM software drawn from a collection of the best open-source and internally developed security tools, to provide a SIEM solution for everyone. SIEMonster is a relatively young but surprisingly popular player in the industry. SIEMonster was inspired by the need to build a SIEM solution that will minimize frustrations caused by the exorbitant licensing costs of commercial SIEM products.
- Free for small businesses
- Limited service
- Nice console displays
Why do we recommend it?
The Community Edition of SIEMonster is a free system but it isn’t open source. However, it is a collection of open-source and free proprietary tools. A number of the tools listed in this review are included in the SIEMonster package – namely, Elasticsearch, Kibana, and Wazuh. This system gets a threat intelligence feed from the open-source MISP Framework, which provides malware signatures as well as attack vectors for intrusion. This is an exciting concept and it also provides a free vulnerability scanner and penetration testing tools for preventative security checks.
SIEMonster has something for everyone—SMBs, large corporations, managed service providers, and the community. The community edition is the free open-source single server edition for businesses with up to 100 endpoints. The community edition (free version) supports real-time threat intelligence and reporting capabilities. It can be deployed on the cloud using Docker containers, and on physical and virtual machines (macOS, Ubuntu, CentOS, and Debian).
Who is it recommended for?
SIEMonster is a great concept, providing a package of security tools by gathering the best of breed offered by other security software projects. The free system runs on Docker, which, itself, will install on Windows, Linux, and macOS. The big problem with this free system is that it is limited to monitoring security for 100 endpoints. So, the Community Edition of SIEMonster is a good option for small and mid-sized businesses. Larger organizations will have to switch to the paid version, which is outside of the remit of this review.
- Free for smaller environments (up to 100 endpoints)
- Designed for smaller networks
- Simple yet intuitive customizable dashboards
- Not the best option for larger enterprises
However, the major downside to the free version is that it is not easily upgradable, and does not offer user behavioral analytics, machine learning, and most importantly—support. Furthermore, its reporting capability is limited to only two reports. For organizations that want to completely avoid the limitations of the community edition and investments in onsite infrastructure and human capital, SIEMonster SIEM as-a-Service option is your best bet.
Free open source SIEM FAQs
What is the best open-source SIEM?
We rank open source SIEMs in the following order:
- AlienVault OSSIM
- ELK Stack
- Apache Metron
Is Suricata a SIEM?
Suricata is classified as an intrusion detection system (IDS). The system works by scanning through passing network traffic. This makes it a network-based intrusion detection system (NIDS). The other type of IDS is host-based (HIDS) and scans through log files. SIEM combines both of these strategies, so Suricata is a partial SIEM.
Does AWS have a SIEM?
There isn’t a native AWS SIEM. However, there are a number of third-party SIEWM systems that will install on the Amazon platform and can be accessed through the AWS Marketplace.