Homelab SIEM recommendations?

Ch33rios

Member
Nov 29, 2016
102
6
18
41
Hey all - just wanted to see what any more security minded folks are using to monitor their home network from a SIEM perspective. There are a few opensource/freemium options out there and I wanted to get opinions on what folks have had extreme success with.

My plan is to build something that will at least monitor my virtual networks within my esxi instance...for now :) I was looking at Greylog, Splunk, LogRhythm, Alienvault but again, open to recommendations. I've very briefly tried LogRhythm and Alienvault and so far I couldnt get LogRhythm to enable the interfaces on reboots (had to manually enable at cli) and then Alienvault OSSIM so far has had database problems after a 100% fresh install (trying again tho).

Thanks in advance!
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
Splunk is great if you just want to learn it, but the free version is limited to indexing 500MB a day. I was chewing through that in a day with just my firewall and DNS server pointed at it.

AlienVault I tried briefly, but I quickly gave up on trying to SIEM my home. Not a lot of use-cases that I felt were worth the time investment of getting it setup, plus all of these solutions chew up RAM and CPU. I know some folks on here have massive systems, but everything I run is ITX or smaller and under 16GB of RAM. Using half of my capacity for minimal increase in security was not worth it.
 
  • Like
Reactions: Ch33rios

Ch33rios

Member
Nov 29, 2016
102
6
18
41
Splunk is great if you just want to learn it, but the free version is limited to indexing 500MB a day. I was chewing through that in a day with just my firewall and DNS server pointed at it.

AlienVault I tried briefly, but I quickly gave up on trying to SIEM my home. Not a lot of use-cases that I felt were worth the time investment of getting it setup, plus all of these solutions chew up RAM and CPU. I know some folks on here have massive systems, but everything I run is ITX or smaller and under 16GB of RAM. Using half of my capacity for minimal increase in security was not worth it.
Yeah. Admittedly as I typed that I found myself wondering if the large amount of time spent is really worth it or not as I'd probably have to build it all from scratch (use cases and such). Do you happen to do any other basic monitoring of your systems? If so what?
 

nitrobass24

Moderator
Dec 26, 2010
1,087
131
63
TX
Yeah. Admittedly as I typed that I found myself wondering if the large amount of time spent is really worth it or not as I'd probably have to build it all from scratch (use cases and such). Do you happen to do any other basic monitoring of your systems? If so what?
Well yes, I have a wife....who promptly sends me loads to text messages when something doesnt work :) Really though so many things are internet connected that when it breaks, I get a million notifications on my phone.

Honestly, I have been trying to minimize what I have to run and that meant cutting unnecessary system management components. I used to run 2x AD servers, WSUS, Spacewalk, OpenVAS and FAN (nagios).

I decided I was better off building a hardened CentOS Minimal image and getting rid of the above. I now just have the services I need.
1x DNSMasq for DNS & DHCP
1x Plex
1x UnifiController (will probably move to Docker soon)
1x NextCloud
1x VCSA
Sonarr, NZBGet, Couchpotato, UnifiVideo, UnifiPhone all run on Synology (Docker) .

Sure I have to manually update these now, but SSHing into 4 machines once a week is not that bad. I spend arguably less time doing that, then I did approving updates in WSUS.
 

PigLover

Moderator
Jan 26, 2011
3,081
1,388
113
I'll second @nitrobass24's thoughts here. KISS. Simple is better.

I went overboard using ELK and a massive log analysis attempt. Abort...overwhelming and didn't add a lot of value at all.

Now I do three simple things:
  1. Externally visible websites are monitored for reachability using Uptimerobot.com (I made almost no attempt to research options - free, easy and supports ipv6 - so I stopped looking around). Mostly from this I learn just how unreliable Comcast is (like that's really news).
  2. I run a Zabbix server and monitor my VMs and network infrastructure. I don't do much more than the built-in templates permit and i get alerts when a machine/VM is unreachable (down) or - in the case of network gear that supports SNMP - when a port changes from online to offline. This tells me almost everything I need.
  3. I protect the "front door" with Suricata IDS/IPS in active block mode running on my pfSense router.
I feel reasonably secure and feel like I know enough about the state of the network to be happy. Frankly I don't have anything running worth penetrating - if I did I'd be more careful (heck, if a bad guy wants to watch one of the DVDs I've ripped, well, have at it...).
 

Ch33rios

Member
Nov 29, 2016
102
6
18
41
I feel reasonably secure and feel like I know enough about the state of the network to be happy. Frankly I don't have anything running worth penetrating - if I did I'd be more careful (heck, if a bad guy wants to watch one of the DVDs I've ripped, well, have at it...).
Heh agreed. Its more of an interest I suppose to do something extra. Perhaps I can try Suricata on its own in a separate VM before I do anything else. At least that'll keep me entertained for a bit :)
 

PigLover

Moderator
Jan 26, 2011
3,081
1,388
113
FWIW, setting up Suricata stand-alone is not for the feint of heart. However, the pfSense packaging makes it a piece of cake.
 

T_Minus

Build. Break. Fix. Repeat
Feb 15, 2015
7,342
1,797
113
CA
Well yes, I have a wife....who promptly sends me loads to text messages when something doesnt work :) Really though so many things are internet connected that when it breaks, I get a million notifications on my phone.

Honestly, I have been trying to minimize what I have to run and that meant cutting unnecessary system management components. I used to run 2x AD servers, WSUS, Spacewalk, OpenVAS and FAN (nagios).

I decided I was better off building a hardened CentOS Minimal image and getting rid of the above. I now just have the services I need.
1x DNSMasq for DNS & DHCP
1x Plex
1x UnifiController (will probably move to Docker soon)
1x NextCloud
1x VCSA
Sonarr, NZBGet, Couchpotato, UnifiVideo, UnifiPhone all run on Synology (Docker) .

Sure I have to manually update these now, but SSHing into 4 machines once a week is not that bad. I spend arguably less time doing that, then I did approving updates in WSUS.
LOL, while not home some of my work servers I feel the same...
It's kind of funny... some services I monitor on 3M interval and others on 5M (entire server/ping/etc), verify with other locations, yadi yadi yadi... stuff that's great when there's a reason to justify cost. Well I have one client that's CONSTANTLY checking his business #s, and he's caught network splits or software updates and e-mailed me seconds BEFORE I get an alert... lol, I'm always amazed.

I'll second @nitrobass24's thoughts here. KISS. Simple is better.

I went overboard using ELK and a massive log analysis attempt. Abort...overwhelming and didn't add a lot of value at all.

Now I do three simple things:
  1. Externally visible websites are monitored for reachability using Uptimerobot.com (I made almost no attempt to research options - free, easy and supports ipv6 - so I stopped looking around). Mostly from this I learn just how unreliable Comcast is (like that's really news).
  2. I run a Zabbix server and monitor my VMs and network infrastructure. I don't do much more than the built-in templates permit and i get alerts when a machine/VM is unreachable (down) or - in the case of network gear that supports SNMP - when a port changes from online to offline. This tells me almost everything I need.
  3. I protect the "front door" with Suricata IDS/IPS in active block mode running on my pfSense router.
I feel reasonably secure and feel like I know enough about the state of the network to be happy. Frankly I don't have anything running worth penetrating - if I did I'd be more careful (heck, if a bad guy wants to watch one of the DVDs I've ripped, well, have at it...).
I've been using WebsitePulse.com for over a decade now, not cheap but crap load of options... and ultimate when I got it years and years ago it was the best and pretty much ONLY option. I used pingdom for free as a backup but they don't offer that service anymore :(

Has Suricata ever reported positive threats or issues?
 

PigLover

Moderator
Jan 26, 2011
3,081
1,388
113
Has Suricata ever reported positive threats or issues?
Yes. Once. Found a netgear router that was compromised (blocked outbound traffic to a "known low reputation" host). There shouldn't have been any traffic from the admin IP of that router...

Also finds/blocks an incredible number of scans. Shocking, really - at least 5-10 attempts/hour. Doubtful any of them would get through - but I do like the idea of just black-holing the source of address for an hour once it is identified as suspicious. Peace of mind (or perhaps false sense of security - but I'm good with that).

I also have it set to block high-risk web practices, like blocking access to websites that use clear-text passwords. Annoys my wife and kids - but give me a chance to preach security practice. If they persist I'll install an over-ride for certain sites.
 
Last edited:

Gary Gapinski

New Member
Oct 24, 2015
17
3
3
71
I use Suricata and Greylog (for IDS and logging respectively. However, setting them up manually is a bit of a bother. ELK is also good for logging, but is also non-trivial to set up.

I have briefly looked at Security Onion and it appeared to be a nice bundle of several applications.
 

Gary Gapinski

New Member
Oct 24, 2015
17
3
3
71
Has Suricata ever reported positive threats or issues?
A few.

Smart phone began contacting Beijing daily sending IMEI+more in the clear (began with an app update; all apps from that developer no longer used).

Free inbound port scans from Shodan to RFC 4941 IPv6 address proximate with NTP request from smart phone to pool.ntp.org.

Visits from reputable inspection bots (e.g., censys.io).

And, not from Suricata, but the usual log entries from typical blocked exploit attempt traffic.

Not quite threats or issues, but one would be surprised what goes on in home network with all sorts of typical consumer devices. Only if one is actually watching, of course.
 
  • Like
Reactions: T_Minus

Ellwood

Member
Nov 20, 2016
33
11
8
43
Splunk is great if you just want to learn it, but the free version is limited to indexing 500MB a day. I was chewing through that in a day with just my firewall and DNS server pointed at it.

AlienVault I tried briefly, but I quickly gave up on trying to SIEM my home. Not a lot of use-cases that I felt were worth the time investment of getting it setup, plus all of these solutions chew up RAM and CPU. I know some folks on here have massive systems, but everything I run is ITX or smaller and under 16GB of RAM. Using half of my capacity for minimal increase in security was not worth it.
You can request a Dev license, it used to be 50GB, but looks like it's down to 10GB now. Still, should be good for a home lab (depending on size, I guess)

Splunk Developer FAQs
 

RTM

Well-Known Member
Jan 26, 2014
892
334
63
I don't really know of a "free" SIEM that'll not require you to setup your own alert rules etc, nevertheless here's my 10 cents (some of it may be a little inaccurate, it is based on memory, and I haven't had the time to factread it :) ).

Obviously Alienvault OSSIM and Splunk has already been mentioned, so I will not bother delving into that topic.

Personally I am a fan of the ELK stack (it has been renamed to "the Elastic Stack", to indicate that their stack now includes Beats - various clients to ship logs), as it gives me a lot of control. The downside to that is that you probably will have to spend a lot of time setting it up, for instance unless you get Elastic's X-Pack (which is not free) you will have to use something like ElastAlert to setup alerting. If you are looking to kickstart an ELK setup you may want to look into the project SOF-ELK, I haven't tried it out myself, but it is made by a guy (Phil Hagen) who is connected to SANS, and they usually know their stuff.
Oh and FWIW I would not suggest using Beats clients, for the same reason, why I wouldn't suggest using other vendor specific log shipping clients: they restrict what you can send your logs to. If you use standard syslog (ideally TLS encrypted), ideally forwarded to a generic syslog forwarder, you can change your Log Management/SIEM solution a little easier.

Other than that, I think loggly.com's services look interesting, there is a free tier, that may be of use (though it is limited to 200MB/day and no alerting). The biggest benefit to that over all the other solutions, is that it is cloud based, so you don't have to host the setup yourself, something that may also be a downside, if you do not want to store your logs elsewhere.

Besides that the vendor Logpoint, has a free license, which may be of interest, it has a somewhat weird 90 day limit (you have to request it to be renewed) and has some other limitations (EPS max and max number of nodes).
 
Last edited:

cheezehead

Active Member
Sep 23, 2012
723
176
43
Midwest, US
Also a fan of ELK, you can toss pretty much anything at it. The only downside is it does take some time to get setup and configured.
 

Simon R.

New Member
Apr 13, 2017
1
0
1
41
I've been using WebsitePulse.com for over a decade now, not cheap but crap load of options... and ultimate when I got it years and years ago it was the best and pretty much ONLY option. I used pingdom for free as a backup but they don't offer that service anymore :(
Yeah, I've been using websitepulse.com for quite a long time now as well. The only place they wrote a custom script for my needs. Haven't found similar service from any others.
 

Gyusel

New Member
Aug 5, 2021
1
0
1
Hey all - just wanted to see what any more security minded folks are using to monitor their home network from a SIEM perspective. There are a few opensource/freemium options out there and I wanted to get opinions on what folks have had extreme success with.

My plan is to build something that will at least monitor my virtual networks within my esxi instance...for now :) I was looking at Greylog, Splunk, LogRhythm, Alienvault but again, open to recommendations. I've very briefly tried LogRhythm and Alienvault and so far I couldnt get LogRhythm to enable the interfaces on reboots (had to manually enable at cli) and then Alienvault OSSIM so far has had database problems after a 100% fresh install (trying again tho).

Thanks in advance!
Hi,
My friend currently is using in his company the free SIEM tool "UTMStack". If your company is small or medium-sized, this platform would be perfect for you because help you to simplify cybersecurity management and compliance, flatting the learning curve and reduce cybersecurity cost with it free Community version UTMStack | Next-Generation SIEM & Compliance Platform