I need some good recommendations on a SIEM/log management solution
Posted by LonelyDilo@reddit | sysadmin | View on Reddit | 11 comments
I have set up a Syslog server on my Raspberry Pi 5 that's running Ubuntu 24.04. It receives logs in RFC 3164 format from 160 remote firewalls and stores them locally. Is there an open-source SIEM application I can run on my Pi that will take my locally stored logs, perform data/security analysis, find trends and anomalies, and present it all in a nice graphical interface? I need the SIEM solution to be easy to set up and maintain because I have to turn it over to my boss, who is less technically inclined than me.
Please let me know if I'm asking for too much. I don't know if there are applications that are this convenient. I thought I might need to make a more complex setup, such as running multiple servers in containers with docker or proxmox.
No_Wear295@reddit
I'm sure someone will correct me if I'm wrong (this is Reddit after all) but I feel that expecting to run a SIEM on a Pi is like expecting to tow a 5th wheel camper with a Smart Car.... I've looked at both SecurityOnion and Wazuh in the past and seem like good solutions, but you'll need more / stronger hardware. If you're that tight for budget, or size, look at refurb / off-lease business machines. A refurb Optiplex Micro is easy to tuck away somewhere and there's probably a ton coming available that aren't W11 compatible but will run Linux all day long.
Graylog is another option that's less of a SIEM but may get you part of what you're looking for from an ingestion and alerting perspective. I haven't looked at it in a while so I'm not sure how much automated analysis and correlation it's able to do.
Discomm@reddit
SIEM hosted on a raspberry pi 5 getting logs from 160 different firewalls? If you can manage it, I need an updated posted bc I’m getting tired of this MS Sentinel bill…..
Anyways, always remember to account for retention. Industry standard is usually 90 days, but even if you go for 30 that’s still probably TBs of data to be housed.
Also as other commenter noted, Wazuh is great open source EDR, and it is also a great open source XDR and SIEM.
Good luck!
Oricol@reddit
You're going to need a stronger machine to run it but check out Security Onion.
https://securityonionsolutions.com/
LonelyDilo@reddit (OP)
Thank you! Is this open source?
Oricol@reddit
If you don’t have an EDR platform check out Wazuh. It’s open source as well.
LonelyDilo@reddit (OP)
Unfortunately wazuh-indexer isn’t avaliable on arm64 architectures. At least according to chatgpt
winky9827@reddit
https://media.giphy.com/media/e5uyWolyR0y30Wo1ya/giphy.gif?cid=790b761141q32nblwyrhmk1dltw828qsrzeucpvsypgnjxkc&ep=v1_gifs_search&rid=giphy.gif&ct=g
LonelyDilo@reddit (OP)
It’s the paid version. Trust me. There’s no way it’s inaccurate
winky9827@reddit
I can't tell if you're trying to be serious or not.
LonelyDilo@reddit (OP)
Im joking, but it is an extremely helpful tool.
Oricol@reddit
Elastic license 2.0 https://securityonionsolutions.com/license