Open Source SIEM Tools: 7 for Your Home Lab (2026)
Open source SIEM tools let you build real detection skills at zero cost. Here are 7 worth running in a home lab, ranked by what they actually teach.

Open source SIEM tools let you build production-grade detection skills at zero licensing cost, and the strongest starting point in 2026 is Wazuh — a one-command Docker deployment that covers log ingestion, rule-based alerting, file integrity monitoring, and MITRE ATT&CK mapping on modest hardware. An open source SIEM gives you the same core capability as a commercial platform (log collection, correlation rules, alerting, and threat detection) with full access to the code and no per-endpoint fees, in exchange for owning the infrastructure and tuning yourself. The deeper reason to run one is transferable: every commercial console you will meet on the job is different, but the underlying model — how ingestion works, why a rule fires, what separates a raw event from a correlated alert — is the same, and you learn it by operating a SIEM, not by reading about one.
Which one first?
- Building your first home lab? Start with Wazuh. One Docker command, modest hardware, and the detection concepts map directly to what commercial SIEMs do under the hood.
- Targeting network/NSM roles? Deploy Security Onion. Zeek logs and Suricata rule-writing are the skills that move you from Tier 1 into Tier 2 network investigations.
- Already comfortable with host-based detection? Add Elastic Security as your second platform. EQL transfers to production Elastic deployments and the query model sharpens your detection engineering skills.
The seven tools below cover the realistic range of what you can self-host in 2026. For each one, this guide covers how difficult it is to install, what hardware you realistically need, what skills it actually builds, and who it is best for. The comparison table at the end lets you pick quickly.
1. Wazuh
Wazuh is a full-stack, open source security monitoring platform covering SIEM, XDR, and compliance in a single deployment.
Wazuh earns the first slot because it is the closest thing the open source world has to an enterprise SIEM that a single analyst can operate. It consists of three components: the Wazuh indexer (an OpenSearch fork that stores events), the Wazuh server (the analysis engine and rule processor), and the Wazuh dashboard (a Kibana-based UI). Agents run on monitored endpoints and ship logs, file integrity data, vulnerability information, and system inventory to the server.
The quickest path to a running single-node lab instance is Docker:
git clone https://github.com/wazuh/wazuh-docker.git -b v4.9.0
cd wazuh-docker/single-node
docker compose up -dThis brings up all three components. The default credentials are in the .env file in the single-node directory. Swap them before you expose the dashboard to anything outside your lab network.
Note
Wazuh is free and open source under the GNU GPL. The hosted cloud version and commercial support contracts are paid products, but self-hosted deployments have no feature restrictions or licence fees.
Hardware requirements for a functional lab are modest. A single-node Docker deployment runs on a machine with 8 GB of RAM and a modern dual-core processor. You will want 50 GB of disk for log retention across a few weeks. A dedicated machine is ideal, but most analysts run it comfortably in a VM on a host with 16 GB of RAM.
What Wazuh teaches you is broad and directly applicable to employment. Rule syntax in Wazuh follows a structured XML format that maps closely to how SIGMA rules are written, so understanding a Wazuh rule gives you a head start on every other detection framework. The out-of-the-box rule set covers MITRE ATT&CK techniques with explicit tagging, which means you can trace any alert back to a tactic and technique without additional tooling. File integrity monitoring (FIM) teaches you how host-based detection differs from network detection, a distinction that matters when you are triaging alerts that mix both. The compliance modules (PCI DSS, HIPAA, NIST 800-53, CIS benchmarks) give you early exposure to the compliance vocabulary that comes up in every enterprise SOC role.
Wazuh's official documentation is thorough and actively maintained. The Wazuh community Slack is the fastest route to answers when something does not work.
Best for: Anyone building their first home lab SIEM. The deployment is fast, the UI is intuitive, and the detection coverage closest to what employers want to see on a resume.
Free forever · No credit card
Train on real alerts, with zero consequences
Practice triage on realistic alert volume in a live SOC console. Free forever — no credit card.
2. Security Onion
Security Onion is a free Linux distribution purpose-built for network security monitoring, combining Zeek, Suricata, Elasticsearch, Kibana, and a suite of investigation tools into a single installable image.
Where Wazuh centers on host-based telemetry, Security Onion centers on the network. It ingests traffic from a span port or tap, generates connection logs (Zeek), runs intrusion detection rules (Suricata), indexes everything into Elasticsearch, and surfaces it all through a unified investigation interface called Security Onion Console (SOC, which is an excellent irony for the audience). It also ships with Kibana, CyberChef, and network artifact extraction.
Installation is via a downloadable ISO. The Eval mode runs on a single machine and is appropriate for a home lab. The hardware ask is noticeably higher than Wazuh: Security Onion recommends at least 12 GB of RAM for Eval mode, with 16 GB being more comfortable. Disk matters more here than in any other tool on this list because it stores full packet captures by default. Plan for 200 GB minimum.
What Security Onion teaches is the network investigation workflow. You will write Suricata rules (which are syntactically close to Snort rules, still the industry standard), read Zeek logs to reconstruct session-level activity, correlate DNS queries with connection logs, and extract artifacts from captured traffic. Pivoting from an alert to a full packet capture for the same session is a skill tier-2 analysts use constantly, and Security Onion makes it straightforward to practice.
The Security Onion documentation is organized by use case rather than by component, which makes it approachable. The Security Onion community forums are active.
Best for: Analysts who want to build network forensics depth, particularly those targeting NSM or tier-2 investigation roles.
3. Elastic Security (Free Tier)
Elastic Security is the SIEM and security analytics layer built into the Elastic Stack, available at no cost in the self-hosted, open-source distribution.
Elastic Security is not a separate product. It is a set of capabilities built into Kibana and the Elastic Stack that you enable when you stand up your own Elasticsearch cluster. The free tier gives you the core SIEM features: timeline investigation, detection rules (including pre-built rules mapped to MITRE ATT&CK), case management, and the full power of the EQL (Event Query Language) query engine. Elastic's pre-built detection rules are published on GitHub and actively maintained.
A minimal single-node Elastic Stack deployment can be stood up with Docker:
# Use the official Elastic Docker Compose setup (requires ~8 GB RAM for Elasticsearch alone)
curl -fsSL https://elastic.co/start-local | shThe honest hardware caveat is that Elasticsearch is memory-hungry. A usable single-node stack needs at least 8 GB dedicated to Elasticsearch alone. 16 GB of total system RAM is the practical minimum for a lab machine that runs the full stack plus agents. This makes it more demanding than Wazuh but less demanding than Security Onion at full packet capture scale.
What Elastic Security teaches is EQL, one of the most transferable detection skills you can develop. Splunk uses SPL, Sentinel uses KQL, and Elastic uses EQL, but the underlying pattern-based event correlation model is the same across all of them. Learning to write an EQL sequence query that links a parent process to a network connection to a file write teaches how behavioral detection works at a level that transfers to every other platform. The Elastic Security documentation covers the query language thoroughly.
Best for: Analysts who want to understand enterprise SIEM internals and query-language-based detection. Good second step after Wazuh.
4. Graylog Open
Graylog Open is a free, open source log management and SIEM platform focused on high-throughput log ingestion, structured search, and alert-driven workflows.
Graylog takes a different approach than Wazuh or Elastic. Its strength is log management at volume: it ingests from virtually anything (syslog, GELF, Beats, REST API, Kafka), provides fast full-text search via Elasticsearch or OpenSearch as a backend, and exposes a clean pipeline-based processing model that lets you parse, enrich, and route logs before they land in the index. The alerting system is built around saved searches and event definitions rather than pre-built rule sets.
Graylog Open is self-hosted and free. The commercial plans (Operations and Security) add compliance reporting and extended analytics, but the Open edition is capable for lab use. Installation involves MongoDB, Elasticsearch or OpenSearch, and the Graylog server itself. A Docker Compose setup simplifies this considerably.
What Graylog teaches is log pipeline architecture. Understanding how to normalize logs from different sources into a consistent schema, how to write pipeline rules that parse custom log formats, and how to route high-volume log streams to different indexes based on content are skills that apply directly to detection engineering and SIEM administration roles. The alert workflow teaches event correlation at the search level rather than through a pre-built rule engine, which develops a different and valuable muscle.
Best for: Analysts interested in detection engineering or SIEM administration, and anyone who wants to understand log normalization pipelines.
5. OSSEC
OSSEC is a veteran open source host-based intrusion detection system (HIDS) that pioneered many concepts now standard in modern SIEMs.
OSSEC predates most of the platforms on this list by a decade. It covers file integrity monitoring, log analysis, rootkit detection, and active response (automatically blocking IPs, disabling accounts) from a central manager with agents deployed on endpoints. OSSEC's rule syntax is the direct ancestor of Wazuh's, which is not coincidental: Wazuh started as an OSSEC fork.
The installation story is more manual than Wazuh or Elastic. There is no first-class Docker deployment; you compile from source or install from packages. The web interface options (Kibana integration, Splunk app) are community-maintained and less polished than in newer platforms. Hardware requirements are light: OSSEC itself is deliberately minimal.
What OSSEC teaches is the HIDS conceptual foundation. Log decoding, rule grouping, alert levels, and active response are all concepts you will encounter in every modern SIEM, and OSSEC exposes them with less abstraction than Wazuh does. If you want to understand why a rule fires, reading OSSEC's rule files is a better tutorial than any documentation. The active response module teaches you how automated remediation decisions work, which is relevant to SOAR platforms.
Warning
OSSEC's development pace has slowed relative to Wazuh, which has absorbed most of the community energy. For a home lab in 2026, Wazuh is the better choice unless you have a specific reason to study OSSEC's internals. Both use nearly identical rule formats.
Best for: Analysts who want to understand HIDS fundamentals at the source level, or who are specifically studying OSSEC deployments in legacy environments.
6. AlienVault OSSIM
AlienVault OSSIM (Open Source SIEM) is an all-in-one SIEM appliance that bundles asset discovery, vulnerability assessment, behavioral monitoring, log collection, and correlation into a single virtual machine image.
OSSIM was for several years the reference open source SIEM, and its threat intelligence integration (the Open Threat Exchange, OTX, is still active and useful) made it distinctive. AT&T Cybersecurity now maintains both OSSIM and the commercial USM Anywhere product. The open source edition is free and available as a virtual appliance.
The integration story is OSSIM's strongest differentiator for learning purposes. It combines passive and active asset discovery, Nessus Essentials for vulnerability scanning, a plugin-based log normalization framework, and a correlation engine in a single deployment. The OTX integration lets you automatically enrich events with threat intelligence from a community feed, which teaches you how TI enrichment works in practice.
The honest caveat is that OSSIM shows its age in the UI and in the community activity level. Updates have been less frequent than in Wazuh or Elastic. The documentation is adequate but not as actively maintained. The hardware requirement (a dedicated VM with 8 GB RAM minimum, 16 GB recommended) is similar to Wazuh.
Best for: Analysts who want exposure to threat intelligence enrichment workflows and all-in-one SIEM architecture, particularly those preparing for roles that involve AT&T USM or similar unified security management platforms.
7. SELKS (Suricata + ELK Stack)
SELKS is a free, Debian-based live distribution that combines Suricata IDS/IPS, Elasticsearch, Logstash, Kibana, and Scirius (a Suricata rule management interface) into a single bootable image.
SELKS is maintained by Stamus Networks and is deliberately focused on intrusion detection and network monitoring rather than broad SIEM functionality. The Scirius component is the differentiator: it provides a web interface for managing Suricata rule sets, enabling and disabling rules, and viewing IDS alerts with full PCAP pivot capability. The Kibana dashboards are pre-configured for Suricata EVE JSON output, which means you get immediately useful visualizations for DNS, HTTP, TLS, and alert data.
SELKS can run as a live system (booted directly from USB) or installed to disk. The live mode makes it practical for temporary network monitoring setups, which is a realistic use case for analysts doing threat hunts in environments where they cannot install software on infrastructure. Hardware needs are moderate: 8 GB of RAM for the core stack, with disk requirements scaling with how much traffic you capture.
What SELKS teaches is Suricata rule writing. Suricata rules (in the Snort rule format) are the most widely deployed open source network detection signature format in the world. Writing a rule that matches a specific HTTP user agent, TLS certificate field, or DNS response pattern is a skill that applies to commercial NGFWs, IDS appliances, and cloud-native detection platforms.
Best for: Analysts focused on network intrusion detection, rule writing, and traffic analysis.
Comparison Table
| Tool | RAM Minimum | What It Teaches | Best For |
|---|---|---|---|
| Wazuh | 8 GB | Host detection, MITRE mapping, FIM, compliance | First SIEM, broadest employer relevance |
| Security Onion | 12 GB | Network forensics, Zeek, Suricata, PCAP pivoting | NSM and tier-2 investigation depth |
| Elastic Security | 8 GB (Elasticsearch alone) | EQL, behavioral detection, detection engineering | Query-language mastery, enterprise SIEM prep |
| Graylog Open | 4 GB | Log pipelines, normalization, event-driven alerting | Detection engineering, SIEM administration |
| OSSEC | 2 GB | HIDS fundamentals, rule internals, active response | Legacy environment prep, rule-level understanding |
| AlienVault OSSIM | 8 GB | TI enrichment, asset discovery, all-in-one SIEM | Threat intelligence workflows |
| SELKS | 8 GB | Suricata rules, network IDS, traffic analysis | Network detection, rule writing |
The Honest Case for a Home Lab (And Its Limits)
Running your own SIEM teaches you things that no training platform can fully replicate: dependency hell, disk pressure at 3 AM, a misconfigured parser that silently drops 40% of your events. Operational friction is a feature. It is the same friction you will encounter in production, compressed into a low-stakes environment.
At the same time, the home lab has a structural gap that matters for your career preparation. It trains you to maintain tooling, not to triage alerts at volume. Real SOC work is not about keeping the SIEM running. It is about processing a queue of several hundred alerts per shift with enough speed and accuracy to separate the handful of real threats from the noise. That skill requires a different kind of practice: repetitions on realistic alert queues, with verdict feedback, at realistic base rates.
Both skills are necessary. The SOCSimulator training environment is designed for the triage side of that equation: realistic SIEM, XDR, and firewall alerts in a queue you actually have to work, scored against the same verdicts a real analyst would make. Run it alongside your lab — the home lab builds the infrastructure understanding, the simulated console builds the triage instinct, and neither substitutes for the other.
For more on how triage skill develops in practice, the alert triage guide covers the framework in detail. If you are still mapping out your path to a SOC role, the how to become a SOC analyst guide covers the broader roadmap, and the best SIEM tools comparison covers the commercial landscape you will encounter once you are employed.
Frequently Asked Questions
- Is there a free SIEM?
- Yes, several production-grade SIEMs are completely free. Wazuh is free and open source under the GNU GPL, covering log collection, rule-based detection, file integrity monitoring, and active response. Elastic Security's free tier provides the same SIEM engine used by large enterprises. Security Onion bundles multiple tools including Elasticsearch, Kibana, Zeek, and Suricata into a free network security monitoring platform.
- Is Wazuh really free?
- Wazuh is free and open source, licensed under the GNU General Public License v2. There is no feature-limited free tier — the full platform, including the indexer, server, and dashboard, is available at no cost. Wazuh Inc. sells commercial support contracts and a hosted cloud version, but self-hosted deployments have no licence fees or capability restrictions.
- What SIEM can I run in a home lab?
- Wazuh is the best starting point for a home lab SIEM. It has a one-command Docker deployment, works on modest hardware (8 GB RAM is enough for a single-node lab), and covers the core skills employers value: log ingestion, rule-based alerting, file integrity monitoring, and compliance mapping. Elastic Security and Security Onion are stronger for network-centric investigations but require more resources and configuration time.
- What is the difference between open source and commercial SIEM?
- Open source SIEMs like Wazuh, Elastic Security, and Graylog give you full access to the code, unlimited data ingestion (in most cases), and no per-endpoint licensing fees. Commercial SIEMs like Splunk Enterprise, Microsoft Sentinel, and IBM QRadar add managed cloud hosting, vendor-backed support SLAs, pre-built integrations, and professional services. For home lab learning, open source tools teach the same core skills. For enterprise deployments, commercial options reduce operational overhead but at significant cost.
- Wazuh vs Security Onion: which should I use?
- Choose Wazuh if your priority is host-based detection: endpoint agents, file integrity monitoring, log analysis, and MITRE ATT&CK coverage across Windows, Linux, and macOS. Choose Security Onion if your priority is the network: it bundles Zeek, Suricata, and full packet capture for network security monitoring and forensics. Many home labs eventually run both, because they cover complementary halves of SOC visibility. Wazuh is the lighter deployment (8 GB RAM); Security Onion needs more (12 GB and 200 GB+ of disk for PCAP).
- Can you run an open source SIEM on Windows?
- The SIEM servers themselves (Wazuh, Elastic, Graylog, Security Onion) are designed to run on Linux, and the cleanest path is a Linux host or VM. You can run them on Windows through Docker Desktop or WSL2 for a lab, but production deployments are Linux-based. What you can absolutely monitor is Windows: every tool on this list ships Windows endpoint agents that collect Security event logs, Sysmon data, and PowerShell logging from Windows machines.
Field notes
New walkthroughs and detections, in your inbox
A short email when we publish something worth your time. No spam, unsubscribe in one click.
Community
Continue the conversation
Discuss this with analysts who are actively training and working in the field.
Related Articles

Cyber Threat Hunting Tools: 13 SOC Analysts Use (2026)
Cyber threat hunting tools every SOC analyst needs: Sigma, YARA, KQL, Velociraptor, Wireshark, Zeek, MISP and more — grouped by layer with code examples.

Best SIEM Tools in 2026: 10 Platforms Ranked
Best SIEM tools ranked for 2026: Splunk, Microsoft Sentinel, IBM QRadar, Elastic Security, and more — reviewed from a SOC analyst training perspective.

SIEM Use Cases: 10 Every SOC Runs (With Detection Logic)
SIEM use cases explained with detection logic sketches, data sources, and tuning notes for the 10 detections every SOC team operates.