A Security Information and Event Management (SIEM) system collects, correlates, and analyzes security events from across your infrastructure. This guide covers setting up an open-source SIEM stack for your VPS environment.
What a SIEM Does
- Collects logs from multiple sources (servers, applications, network devices)
- Normalizes and correlates events across systems
- Detects security incidents through rule-based and anomaly-based analysis
- Provides dashboards and visualizations for security monitoring
- Generates alerts for suspicious activity
- Supports incident investigation and forensics
Open-Source SIEM Options
| Solution | Stack | Resource Needs | Best For |
|---|---|---|---|
| Wazuh + ELK | Wazuh + Elasticsearch + Kibana | High (8GB+ RAM) | Full-featured SIEM |
| Graylog | Graylog + MongoDB + Elasticsearch | High (8GB+ RAM) | Log management focus |
| Security Onion | Complete security platform | Very High (16GB+) | Network security monitoring |
| Grafana Loki | Loki + Grafana + Promtail | Medium (4GB+) | Lightweight log aggregation |
Lightweight Option: Grafana Loki Stack
# Install Loki (log aggregation)
docker run -d --name=loki -p 3100:3100 grafana/loki:latest
# Install Promtail (log collector)
# Configure promtail-config.yml to collect:
# - /var/log/syslog
# - /var/log/auth.log
# - /var/log/nginx/*.log
# - Application logs
# Install Grafana (visualization)
docker run -d --name=grafana -p 3000:3000 grafana/grafana:latest
# Add Loki as a data source in Grafana
# Create dashboards for:
# - Failed SSH attempts
# - Web server errors
# - Application exceptions
# - Unusual traffic patternsAlert Rules
# Essential SIEM alert rules:
# 1. Multiple failed SSH logins from same IP (>5 in 5 min)
# 2. Successful login from new IP address
# 3. Privilege escalation (su/sudo usage)
# 4. File integrity changes on critical files
# 5. Unusual outbound network connections
# 6. Web application errors spike (>10x normal)
# 7. Disk space critical (