5 Best Free and Open-Source SIEM Tools in 2019

In this article, I not only provide my top picks of more enterprise-grade Security Information and Event Management (SIEM) products that offer free, fully functional trials, I also list my recommendations of the best free SIEM tools on the market today as well as tips on what to look for and how to choose the best SIEM tool for your security needs.

Better Than Free and Open-Source SIEM Tools

Free trials of enterprise-grade SIEM software are a great way to try out a solution to see if you need the features a full SIEM software can offer. My picks for best free trial SIEM tools are the following:

Security Event Manager

SolarWinds Security Event Manager (SEM) comes with a 30-day free trial—plenty of time to figure out if it’s the right choice for you. I prefer SEM not only for security but for all issues that relate to event logging, including compliance and performance troubleshooting.

Security Event Manager

This is an all-purpose SIEM solution with a particular emphasis on compliance for HIPAA, PCI DSS, SOX, and more. SEM has robust out-of-the-box functionality, which makes implementation a snap. A lot of this comes from the fact that it is so self-contained. The included automation parameters block hundreds of types of threats, and the advanced search brings a search engine-like functionality to log analysis.

Threat Monitor

Threat Monitor is a security-focused SIEM option with the same great expertise and support from SolarWinds. By downloading the 14-day fully functional free trial, you’ll be protected from the latest newly-discovered vulnerabilities in near-real time with its constantly-updated threat assessments and intrusion detection capabilities.

Threat Monitor

There are more automated responses and more control over programming your own automated responses with Threat Monitor. Plus, you still get compliance reporting and highly detailed, easily searchable indices. The product is cloud-based, which means you’ll get all this functionality with low to no footprint and constant accessibility.

Top Free SIEM Software

The following are some free SIEM tools you should consider in 2019, whether they’re open-source SIEM software, limited versions of commercial products, or free trials that could help you figure out what you need.

Splunk Free

Splunk Free

For functionality, the full Splunk product is one of the top SIEM software in the game. It offers comprehensive security overviews and is a breeze to navigate despite its complexity. The visualization and asset analysis capabilities are particularly useful. However, be sure to note that the free version, while similar to the full license, lets you index only up to 500 MB per day. Obviously, this doesn’t work for many businesses. There are other limitations to the free version, too, so it’s not a great long-term solution.

Snort

Snort

Snort is a popular intrusion detection and prevention software for Windows and Linux. It monitors your network traffic and enacts the rules your program, without a ton of bells and whistles. On the other hand, Snort is not a full SIEM. Those who are looking for these specific capabilities will likely be happy with the performance, but don’t expect a comprehensive networking logging and monitoring system.

OSSEC

OSSEC

OSSEC is an open-source intrusion detection system popular among everyone except the Windows crowd. It’s fully available for macOS, Linux, Solaris, and BSD. Advantages include both serverless and server-agent modes, and near full functionality in the open-source version. I enjoy OSSEC’s log analysis, which analyzes many different sources including FTP, mail servers, databases, and more. Plus, OSSEC is optimal for monitoring several networks from one point.

But the system has several disadvantages. It’s only available for Windows in server-agent mode. Also, users have reported problems when updating as the software reverts to out-of-the-box rules. Even if you offload and reload your settings, it can cause mayhem during the update itself.

OSSIM

OSSIM

OSSIM is one of the most powerful and thorough open-source options available. It has pretty much all the functionality I described above, including both short-term logging and monitoring (SEM) and long-term threat assessment, data archiving and analysis, and automated responses (SIM).

However, OSSIM is inflexible and unwieldy. Sysadmins complain of laborious setups, especially on Windows, and massive investments of time to customize the software. (Support from OSSIM is prohibitively expensive too.) If you would end up spending all that time and money anyway, it is worth considering paid SIEM tool options from the start.

Elasticsearch

Elasticsearch

Elasticsearch, formerly known as ELK Search, is a package of software solutions. (ELK is an acronym for the component programs Elasticsearch, Logstash, and Kibana.) As such, Elasticsearch is a powerful and versatile suite, but it lacks some important functionality.

Logstash and Beats provide the log records. Beats are fast and simple data shippers and collectors, while Logstash filters that data and enables numerous custom plug-ins. Elasticsearch is the engine that powers exploration of the data, and Kibana provides visualization.

Elasticsearch lacks some important features that would make it a full-fledged SIEM. Notably, it is weak on correlation, provides no out-of-the-box alerts, and cannot provide incident management on its own. Still, with its powerful architecture, customizability, and open-source nature, it’s no surprise that Elasticsearch is so powerful and also provides the basis for several of the other selections on this list.

SIEM Features and Functionality

Before you choose a SIEM solution, let me explain a little bit about the basics of SIEM, what to look for in a SIEM tool, as well as the pros and cons about trying free or open-source SIEM solutions over an enterprise-grade software.

Security Information and Event Management, or SIEM, combines two areas that were previously thought of as separate: Security Information Management (SIM) and Security Event Management (SEM). Even now, the three terms are often used interchangeably, though there are subtle and important differences.

SEM software tracks ongoing network event logs, making it necessary for short-term analysis and troubleshooting of disruptions. SIM software stores and analyzes huge volumes of historical network data—it’s more useful for predicting future threats. You’ll want to combine these long-term and short-term security efforts into a unified SIEM solution.

Whether you’re looking for a paid, free, or open-source SIEM solution, you’ll want to look for tools with the following features:

  • Event Logging: At its most basic level, event logging is central to SIEM. Collection of all events on your network enables you to detect real-time abnormalities and investigate disruptions.
  • Intrusion Detection: A good SIEM not only tracks your network behavior, but it can also analyze that data in near-real time. Data is not useful without context; for example, one user with many failed password attempts might be innocuous, but many simultaneous systemwide attempts could be a brute force attack.
  • Automated Alerts: Along with analysis and intrusion detection, SIEM systems should notify network administrators.
  • AI/Smart Threat Detection: A good SIEM system not only detects intrusions but anticipates and predicts future threats. This requires streams of information on the latest threats to be compared against both recent and archival data.
  • Data Filtering and Storage: Event logs produce massive amounts of data that must be maintained to enable thorough archival analysis. Like event logging, this is important for detecting abnormalities and investigating problems after-the-fact. SIEM solutions must provide useful filters to ensure that data is targeted and useful, and also allow users to store that data in an accessible and cost-efficient manner.
  • Visualization: Seeing your data and threat assessments in graph form will greatly aid your security functions. It’s increasingly standard in SIEM software, either as an integrated function or provided by a third-party add-on.
  • Compatibility: SIEM software should be compatible with users’ existing network to provide a complete picture of events.
  • Compliance: In certain industries, SIEM software should help ensure regulatory compliance.  

When it comes to free and/or open-source SIEM tools, I know a lot of smaller organizations that are just beginning to log and analyze security event data tend to go with this option. This is obviously cheaper. Of course, over time, many IT departments find this too labor-intensive and may opt for a more enterprise-grade product. I don’t know too many IT departments happy using a free SIEM option long term.

The Last Word on Best SIEM Software Available

SIEM solutions should provide both short-term and long-term monitoring and protection, with minimum fuss and expense for set up and customization. Check out some of these free and open source SIEM products if your organization is just starting out with SIEM or isn’t particularly large. But when you’re ready for an enterprise-level SIEM software, I suggest trying a tool like Security Event Manager as it provides an all-around security event management solution with an emphasis on logging and compliance.

Recommended Reading

Best Log Management Software 2019
Log management is a big part of SIEM, so your LM software should be compatible and integrated with your SIEM solution.

Top 10 Log Sources You Should Monitor
Knowing where to look when troubleshooting will increase the effectiveness of your SIEM software.

No Need to Be Alarmed: Crafting an Effective Alert Strategy
As I noted, alerts are an important feature in SIEM software. Pick up some tips on creating helpful alerts here.