Traditional security information and event management (SIEM) platforms are expensive — so a free SIEM sounds like an appealing option.
Organizations that need more visibility shouldn’t jump blindly into a SIEM project — even if it’s free — without considering the ramifications. Time is money, after all, and a failed SIEM implementation can translate to hours that could’ve been spent on more valuable tasks.
Before deciding on a free SIEM, it’s important to understand each tool’s capabilities and limitations.
Is Open Source SIEM Right For My Organization?
Open source tools seem like an appealing option for organizations that don’t have the budget for expensive security software, but it’s not a silver bullet by any means.
Open source has a variety of benefits:
- Free. Although free and open source aren’t interchangeable terms, it’s valid to assume that almost all open source tools are free of charge.
- Transparent. Its transparency means that anyone can view the source code to understand exactly how the software works.
- Highly reliable. Open source software also tends to be highly reliable; since hundreds or even thousands of developers work on the code, flaws or bugs get noticed and fixed quickly.
- Educational. An open source SIEM is a great resource for someone that wants to learn about cybersecurity. There’s no better learning experience than performing a hands-on process of setting up, configuring, and managing a SIEM.
Open source software isn’t always the best choice for smaller teams because it inherently requires some upfront work and expertise. Open source is community-supported by definition, so there’s no guaranteed way to get help from an expert. Not all open source tools are user-friendly, so implementing and managing the tool might be challenging.
Smaller, resource-strapped IT and security teams with less technical expertise should consider alternatives, solely due to the time and effort it takes to get an open source tool successfully up and running.
Top 7 Free SIEMs
We’ve researched and evaluated seven SIEM platforms, pulling pros and cons from reliable online review sites.
Wazuh is a free open source security monitoring platform with threat detection, integrity monitoring, compliance and incident response capabilities. Considered an intrusion detection system (IDS), Wazuh runs at the host level to detect anomalies and known-bad signatures.
Wazuh has three main components. The agent detects threats and collects log data; the server analyzes that data, and the Elastic Stack, which indexes and stores the alerts that Wazuh generates. The tool integrates with Kibana, one of the components of the Elastic Stack, to provide a user interface.
Wazuh began as a subsidiary of OSSEC, another open source monitoring solution, but with more reliability and scalability.
According to a Wazuh user, it is a “good starter solution, but there are other more advanced solutions on the market.”
Pros: Integrates easily with other solutions, comprehensive, can help meet some compliance requirements
Cons: User interface is clunky, requires manual configure alerts and monitoring, detection is lacking
2. ELK Stack (Elastic)
Elastic offers several products that form the ELK Stack suite: Logstash (a log server), Elasticsearch (a search tool for analyzing files), Beats, (a data transfer agent), and Kibana (the front end of Elastic Stack that serves as a data analysis tool). Elastic SIEM is a free, open source application that is included by default in ELK Stack.
Logstash, Kibana, and Beats are all free for on-premises deployments, but there is a charge for the cloud-based versions, starting at $95 per month for the Standard tier.
The software includes out-of-the-box detection rules that are aligned to the MITRE ATT&CK framework. Its features include audit logging, anti-malware, network security analysis, and more.
According to a software engineer that uses ELK Stack: “Just take your time to study it carefully, as its powerful tools require mastering…There is quite a bit of a learning curve.”
Pros: Powerful search engine, can handle big-scale applications
Cons: Only free for on-premises environments, users report breaking changes between different versions, can be difficult to set up, detection rules are not automatically updated
OSSEC is an open source host-based intrusion detection platform that supports both cloud and on-premises. According to its website, it is commonly used strictly as a log analysis tool — however, it’s possible to configure OSSEC to function as a SIEM through its configuration options.
Other features include file integrity monitoring (FIM), rootkit and malware detection, compliance auditing, and system inventory. Atomic Corp, the company that maintains the project, offers extra features such as integrations, role based access control, malware protection, and a management console, but at a cost.
Pros: Can integrate with ELK Stack, offers threat detection rules
Cons: No dashboard, painful upgrades, older solution that is largely unsupported
4. Security Onion
Security Onion is an Ubuntu-based open source threat hunting, network security monitoring, and log management platform. Built on ELK stack, Security Onion includes an impressive variety of open source tools in its software, including Wazuh, Kibana, NetworkMiner, Snort, Suricata, and more. Its features include network-based and host-based intrusion detection, indexing and search, visualization tools, and full packet capture.
A senior writer at CSO Online said it best: “Does Security Onion do exactly what you want it to do? Probably not. Will you have to tweak it to fit your enterprise? Probably yes. Will you need skilled security people to run it? Definitely yes.”
Pros: Compiles many open source tools, easily customizable, educational resource
Cons: Noisy, many false positives, requires expertise
5. Splunk Free
Splunk Free is a very limited version of Splunk Enterprise that allows users to practice searches, data ingestion, and other tasks, according to Splunk documentation. If organizations ingest 500 MB per day of data or less, Splunk Free can be useful for forensic review of large data sets.
The free license does not expire, but it is unlikely not a viable long-term solution to maintain visibility across an environment due to its many limitations.
Pros: No expiration date
Cons: Data caps at 500 MB/dau, does not include alerting, not configurable
6. AlienVault OSSIM
AlienVault OSSIM is an open source SIEM platform that offers asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, and event correlation. It is available for both on-premises physical and virtual environments. OSSIM uses Open Threat Exchange (OTX), which enables users to receive real-time information about malicious hosts.
However, OSSIM is only available for a single server and does not support cloud applications such as AWS and Azure.
Pros: Many integrations, strong event correlation capabilities
Cons: Lacks log management, can be overwhelming to set up, noisy false positives
7. Blumira Free
Blumira’s Free edition is the industry’s only free cloud-based SIEM with threat detection and response capabilities — with zero limits on users and ingested data. Built for small teams and SMBs with limited resources, Blumira enables users to set up in minutes with Cloud Connectors, which ingests log data directly from cloud apps’ third-party APIs. Blumira’s free edition is limited to Microsoft 365, but users can easily upgrade in-app to paid editions for more coverage, support, and longer data retention.
Blumira’s platform comes with detections automatically activated and fine-tuned, which significantly reduces false positives and saves time and effort for busy IT admins. The free edition includes a summary dashboard of key findings and basic reports, with 7 days of log retention.
Free edition users can detect a variety of Microsoft 365 threats, including ransomware and malware, suspicious user activity, and privilege escalation. Download a data sheet for a full list of what you can detect with Blumira’s Free edition.
Pros: Fast and easy to install, user-friendly interface, comes with every Microsoft 365 detection that is included in the full product, no data caps or user limits
Cons: Limited to Microsoft 365, may not be suitable for larger enterprises
Value Without The Cost or Hassle
Open source software is a great option for organizations with experienced security practitioners with time to invest in a large implementation project. However, small teams without security expertise should consider an out-of-the-box solution like Blumira.
Unlike the open source options, Blumira’s Free edition doesn’t require expertise or even a full-time security practitioner to deploy and install it. Built for small teams, Blumira is a powerful way to instantly get visibility into Microsoft 365 environments without many resources.
Try Blumira for free today and see how easy it is to get started.
Sign Up For Your Free Account Today
Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.