Your servers are generating thousands of log lines per minute, and you have no idea which ones matter. A SIEM (Security Information and Event Management) platform is supposed to solve that — correlate events, detect threats, and alert your team before damage is done. The problem: commercial SIEM licenses can cost $50k/year and up. The free alternatives are genuinely capable, but they make very different trade-offs.
This article compares three realistic options for teams without an enterprise security budget: Wazuh, the Elastic SIEM stack, and Splunk Free.
What We're Actually Comparing
"Free" means different things for each platform:
- Wazuh: Fully open-source (GPLv2 for the manager, Apache 2.0 for the dashboard). No license caps, no feature gating. Community-supported with commercial support options.
- Elastic SIEM: The security analytics layer on top of Elasticsearch + Kibana. The SIEM features themselves are free, but Elastic's licensing changed in 2021 — you're running SSPL unless you use the managed cloud offering. Self-hosted is fine, just know what you're agreeing to.
- Splunk Free: Hard-capped at 500 MB/day ingestion. Above that, it stops indexing. Not viable for anything beyond a small homelab or a single application.
That 500 MB cap effectively eliminates Splunk Free from most real deployments, so this comparison becomes primarily Wazuh vs Elastic SIEM, with Splunk Free as a distant third for specific niche use cases.
Architecture Differences
Wazuh is agent-based. You install a Wazuh agent on each host you want to monitor. Agents ship logs, file integrity events, process activity, and vulnerability scan results back to the Wazuh manager. The manager runs correlation rules and sends alerts. The UI is a fork of Kibana, skinned for security workflows.
# Query Wazuh alerts via its REST API
import requests
WAZUH_API = "https://your-wazuh-manager:55000"
def authenticate(user: str, password: str) -> str:
resp = requests.post(
f"{WAZUH_API}/security/user/authenticate",
auth=(user, password),
verify=False,
)
resp.raise_for_status()
return resp.json()["data"]["token"]
def get_recent_alerts(token: str, level_min: int = 10, limit: int = 50) -> list:
headers = {"Authorization": f"Bearer {token}"}
params = {
"limit": limit,
"sort": "-timestamp",
"q": f"rule.level>={level_min}",
}
resp = requests.get(
f"{WAZUH_API}/alerts",
headers=headers,
params=params,
verify=False,
)
resp.raise_for_status()
return resp.json().get("data", {}).get("affected_items", [])
if __name__ == "__main__":
token = authenticate("wazuh-wui", "your-password")
alerts = get_recent_alerts(token, level_min=12)
for alert in alerts:
agent_name = alert.get("agent", {}).get("name", "unknown")
print(f"[{alert['rule']['level']}] {alert['rule']['description']} — {agent_name}")
Elastic SIEM works differently. You use Beats (Filebeat, Winlogbeat, Packetbeat) or Elastic Agent to ship logs into Elasticsearch. Kibana's Security app then provides detection rules, timelines, and case management on top of that raw data. Detection rules are written in EQL (Event Query Language) or KQL.
The architecture is more flexible but also more complex. You're assembling a stack (Elasticsearch + Kibana + ingestion layer), whereas Wazuh ships as a more cohesive bundle.
Detection Quality Out of the Box
This is where Wazuh has a genuine advantage for teams that want something working on day one. Wazuh ships with 3,000+ detection rules covering Linux syscalls, Windows event IDs, web application attacks, Docker/Kubernetes activity, and common CVEs. The rules are maintained by the community and mapped to MITRE ATT&CK.
Elastic's detection rules are also MITRE-mapped and actively maintained, but they live in a separate GitHub repository and need to be imported. Once imported, the quality is comparable — there's just more setup friction.
For custom rules, Elastic wins on expressiveness. EQL is designed for threat hunting and lets you correlate sequences of events across time:
# Run an EQL sequence query with the Elasticsearch Python client
from elasticsearch import Elasticsearch
es = Elasticsearch(
"https://your-elastic:9200",
api_key=("key-id", "api-key-value"),
)
# Detect process injection: cmd.exe from a non-shell parent,
# then outbound TLS connection within 30 seconds
eql_query = (
"sequence by host.name with maxspan=30s\n"
" [process where process.name == 'cmd.exe'\n"
" and process.parent.name != 'explorer.exe'\n"
" and process.parent.name != 'powershell.exe']\n"
" [network where destination.port == 443\n"
" and process.name == 'cmd.exe']"
)
resp = es.eql.search(
index="logs-*",
body={"query": eql_query, "size": 20},
)
for hit in resp["hits"]["sequences"]:
events = hit["events"]
host = events[0]["_source"]["host"]["name"]
print(f"Suspicious cmd.exe network activity on {host}")
for e in events:
dst = e["_source"].get("destination", {}).get("ip", "N/A")
proc = e["_source"]["process"]["name"]
print(f" {proc} -> {dst}")
This kind of event-sequence correlation is harder to express in Wazuh's XML rule format, though Wazuh 4.x added composite rules that partially close the gap.
Scalability and Operational Cost
At small scale (under 500 agents, 10k events per second), both platforms work fine on modest hardware. Wazuh's recommended minimum for production is 4 CPU cores and 8 GB RAM for the manager.
Elastic's RAM appetite is well-known. Elasticsearch JVM heap should be 50% of available RAM, capped at 31 GB for GC performance reasons. A production Elastic stack that handles real log volumes comfortably needs 16-32 GB RAM and fast SSDs. Multi-node clusters multiply that.
Wazuh also uses Elasticsearch under the hood (the indexer component is a rebranded OpenSearch fork), but operational complexity is lower because Wazuh manages it for you. You don't tune JVM settings manually unless something breaks.
For compliance use cases (PCI-DSS, HIPAA, SOC 2), Wazuh includes built-in compliance dashboards mapped to specific control frameworks. Elastic requires you to build these views yourself or pay for the Elastic Security subscription. Our security hardening checklists include the specific Wazuh rules and agent policies needed to satisfy each control — saved a few teams days of mapping work.
The Honest Comparison
| Criterion | Wazuh | Elastic SIEM | Splunk Free |
|---|---|---|---|
| License | Open-source | SSPL (self-hosted) | Free, 500 MB/day cap |
| Setup time | 2-4 hours | 4-8 hours | 1-2 hours |
| Default rules | 3,000+ | ~650 (must import) | Limited |
| Advanced queries | Limited | EQL - excellent | SPL - excellent |
| RAM requirements | Moderate | High | Moderate |
| Compliance dashboards | Built-in | Manual | Manual |
| Scalability ceiling | High | Very high | Hard-capped |
Choose Wazuh if: you want a cohesive security platform with agent-based monitoring, built-in compliance reports, and lower operational overhead. It's the pragmatic choice for teams of 1-5 people responsible for security.
Choose Elastic SIEM if: you already run Elasticsearch for other workloads, have large log volumes that need full-text search flexibility, or your team has threat hunters who need EQL for complex correlation queries.
Avoid Splunk Free for anything beyond a demo environment. The 500 MB/day cap hits immediately in any real deployment.
The Takeaway
There's no universally better option — the right SIEM depends on your team size, existing infrastructure, and what "free" actually means operationally. Wazuh wins on out-of-box security coverage and setup simplicity. Elastic SIEM wins on query power and ecosystem depth. Splunk Free is a demo, not a production tool.
For most small-to-medium teams starting from scratch, Wazuh is where to begin. You can have detection rules running, agents deployed, and dashboards live in an afternoon. Once you've outgrown it or need more advanced correlation, the migration path to Elastic is well-documented.
Start with working detection, not the most powerful platform you can't configure.
I run AYI NEDJIMI Consultants, a cybersecurity consulting firm. We publish free security hardening checklists — PDF and Excel.
Top comments (0)