Enterprise SIEM pricing assumes you have a SOC. Small IT teams don't. But "no SIEM" isn't an acceptable answer either — you need somewhere to put logs and something that tells you when they contain a problem. Graylog plus Wazuh is the combination I keep landing on.
The architecture
Wazuh handles endpoint telemetry and basic HIDS. Graylog handles log aggregation, parsing, and dashboards. They run on a single VM for fleets under 200 endpoints; split at 500+. Both ingest into Elasticsearch or OpenSearch — I default to OpenSearch to sidestep the license argument.
Retention that won't break the budget
Hot data for 14 days, warm for 90, cold (compressed, searchable with lag) for a year. Beyond that, it's compliance archive, not SIEM. The numbers change based on fleet size, but the tiers don't.
Alerts tuned for actionability
The single most important metric is alerts per week that result in an action. If that number is below 30%, you're training the team to ignore the inbox. I aim for 70% — meaning seven out of ten alerts lead to a look, a change, or a confirmed benign. Getting there means tuning aggressively and deleting rules that don't pay for themselves.
The starter rule set
- Impossible travel (Entra sign-in logs).
- Multiple failed logon, then success (Windows Security 4625 → 4624).
- Privileged role activated outside business hours (PIM audit logs).
- MFA fatigue pattern (5+ MFA prompts in 10 minutes from one user).
- New executable hash first-seen on an endpoint (Wazuh FIM).
- Outbound traffic to a known C2 indicator list.
- Firewall: any rule change.
Reports leadership reads
Monthly one-pager: incident count, mean time to acknowledge, top five alert types, fleet compliance percentage, and three sentences of "here's what we tuned this month." No one opens a 40-page PDF. Everyone reads a page.