Open Source SIEM Tools: Wazuh and Security Onion

What a SIEM Does and Why It Matters

A security information and event management platform serves as the central nervous system of a security operations center. It collects logs from every device, application and service across the infrastructure, normalizes those logs into a consistent format, correlates events across sources to identify attack patterns, and generates alerts when activity matches known threat signatures or deviates from established baselines. Without a SIEM, defenders are left searching through individual log files on individual systems, a process so slow and fragmented that most attacks go undetected until their impact becomes obvious.

The commercial SIEM market is dominated by platforms like Splunk, Microsoft Sentinel, IBM QRadar and LogRhythm, with annual licensing costs that range from tens of thousands to millions of dollars depending on data ingestion volume. These costs put dedicated SIEM platforms out of reach for many organizations, leaving them without centralized visibility into their security posture. Open source SIEM tools eliminate the licensing barrier while providing capabilities that are genuinely competitive with their commercial counterparts.

Wazuh: Architecture and Core Capabilities

Wazuh's architecture consists of four main components: the Wazuh agent, the Wazuh server, the Wazuh indexer and the Wazuh dashboard. Agents are lightweight processes deployed on monitored endpoints that collect system logs, file integrity data, configuration assessments, vulnerability information and running process inventories. The server receives agent data and external log sources via syslog, processes events through a rule engine and triggers alerts and active responses. The indexer, based on OpenSearch, stores events for search and analysis. The dashboard provides visualization, alert management, compliance reporting and system administration through a web interface.

Wazuh's detection engine ships with over 3,000 built-in rules organized by MITRE ATT&CK technique, compliance framework and attack category. Rules evaluate decoded log fields against conditions, supporting Boolean logic, regular expressions, frequency thresholds and correlation across multiple event types. Custom rules follow the same XML syntax and can reference community rule repositories or be written from scratch to address organization-specific detection requirements. The active response module can execute predefined actions when specific rules trigger, such as blocking an IP address on the local firewall, disabling a user account, or running a forensic collection script.

The platform's vulnerability detection module is particularly valuable because it operates continuously without requiring separate scan infrastructure. Each Wazuh agent maintains an inventory of installed packages and their versions, which the server correlates against CVE databases from the National Vulnerability Database, Red Hat, Canonical, Debian, Microsoft and other sources. This provides real-time visibility into the patch status of every monitored endpoint, with dashboard views that show which systems have critical vulnerabilities, which CVEs affect the most hosts and how the overall vulnerability count trends over time.

File integrity monitoring tracks changes to critical files and directories on every endpoint, recording what changed, when it changed and which user or process made the modification. This capability is essential for detecting unauthorized changes to configuration files, web application code, system binaries and sensitive data stores. It also satisfies specific requirements in PCI DSS, HIPAA and SOX that mandate monitoring of critical system files.

Security Onion: Architecture and Core Capabilities

Security Onion takes a distribution-based approach, packaging multiple open source security tools into a unified platform with consistent management, deployment and upgrade processes. The core components include Suricata for network intrusion detection, Zeek for network traffic analysis, Elasticsearch for log storage and search, Kibana for visualization, Logstash for log processing, and the Security Onion Console for alert management and case tracking.

Security Onion's primary strength is network visibility. Sensor nodes deployed at network tap points or connected to switch mirror ports capture all traffic crossing network boundaries. Suricata inspects this traffic against signature rules to detect known attack patterns, while Zeek analyzes protocol interactions to produce structured logs describing every connection, DNS query, HTTP request, TLS handshake, file transfer and protocol anomaly observed on the wire. Together, these tools create a comprehensive record of all network activity that analysts can search, correlate and investigate.

The platform supports three deployment models. A standalone installation runs all components on a single machine, suitable for small networks and evaluation. A distributed deployment places sensor nodes at network tap points and forward nodes in remote locations, all reporting to a central manager node that aggregates data and provides the analyst interface. An import-only installation analyzes previously captured packet data without live network monitoring, useful for forensic investigations of historical incidents.

Security Onion Console provides case management features that organize alerts into investigations, assign cases to analysts, track investigation status and maintain a timeline of findings. This workflow capability, similar to commercial SOAR platforms, helps security teams manage the volume of alerts that network monitoring generates and ensures that high-priority events receive appropriate attention. The console also provides full packet capture retrieval, allowing analysts to pull the raw network traffic associated with any alert for detailed forensic examination.

Head-to-Head Comparison

The fundamental difference between Wazuh and Security Onion is their primary data source. Wazuh is endpoint-first: its agents collect data directly from the systems being monitored, providing deep visibility into host activity, file changes, process execution, user actions and system configuration. Security Onion is network-first: its sensors observe traffic flowing between systems, providing visibility into communications, data transfers, DNS activity and protocol-level interactions that endpoint agents cannot see.

For deployment complexity, Wazuh offers a more modular approach. You can start with a single-server installation and add agents incrementally as you expand coverage. Agent deployment is automated through standard configuration management tools like Ansible, Puppet and Chef. Security Onion requires more infrastructure planning upfront, particularly for distributed deployments where sensor placement, network tap configuration and storage capacity need to be considered before installation.

Log source diversity favors Wazuh. Beyond its own agent telemetry, Wazuh accepts syslog from network devices, firewalls, application servers and cloud services, providing a centralized view of security events from across the entire infrastructure. Security Onion focuses primarily on network-derived data, though it can ingest external log sources through its Elastic stack components.

For incident investigation, the tools complement each other well. A Wazuh alert showing suspicious process execution on a server gains significant context when correlated with Security Onion data showing that same server establishing connections to an unusual external IP address. The endpoint data explains what happened on the compromised system, while the network data reveals what the attacker did with that access and where they communicated.

Other Open Source SIEM Options

Graylog provides centralized log management with a clean web interface, flexible log processing pipelines and an alerting engine. Its open source edition handles log collection, parsing, search and visualization, making it a solid choice for organizations that need a simpler alternative to the full ELK stack but want more customization than Wazuh's built-in log management. Graylog is not a purpose-built security platform, so it lacks Wazuh's detection rules and Security Onion's network monitoring, but its log processing capabilities can serve as the foundation for a custom SIEM build.

The ELK stack, Elasticsearch, Logstash and Kibana, provides the log management backbone that both Wazuh and Security Onion use internally. Organizations comfortable with the Elastic ecosystem can build a SIEM directly on ELK using Elastic Security's free tier, which includes pre-built detection rules, case management and endpoint agent support. This approach requires more operational expertise than deploying Wazuh or Security Onion but provides maximum flexibility in how logs are collected, processed, analyzed and visualized.

Apache Metron, built on Apache Storm, Kafka and the Hadoop ecosystem, was designed for very large-scale network security analytics. While it provides powerful stream processing capabilities for organizations generating massive volumes of network telemetry, its operational complexity and resource requirements make it impractical for most deployments. It is primarily relevant for large enterprises or service providers processing billions of events per day.

Choosing Between Wazuh and Security Onion

For most organizations starting their security monitoring program, Wazuh is the better first choice. It covers more ground with a single deployment, providing endpoint monitoring, log management, vulnerability detection and compliance reporting in one platform. The agent-based model scales from a handful of servers to thousands of endpoints, and the dashboard provides immediately useful visibility without extensive customization.

Security Onion becomes valuable once endpoint monitoring is established and the security team needs deeper network visibility. Organizations with high-value network segments, those handling financial transactions, intellectual property or sensitive customer data, benefit from Security Onion's ability to capture and analyze all traffic crossing those segments. The combination of Wazuh on endpoints and Security Onion on the network provides the comprehensive visibility that effective security operations require.

Organizations with dedicated security analysts benefit most from Security Onion's capabilities. The network data it generates requires trained analysts to interpret effectively, and the alert volume from network monitoring can overwhelm teams without the bandwidth to triage and investigate. Wazuh's more focused alerting, driven by endpoint events and pre-built rules, produces a more manageable alert stream for smaller teams.