Wazuh vs Splunk: Self-Hosted SIEM for Homelab Budgets
Reading time: ~12 minutes
Audience: Homelabbers and security learners choosing a SIEM
What Is a SIEM?
A Security Information and Event Management (SIEM) system collects, analyzes, and correlates security events from across your infrastructure. Core functions:
| Function |
Description |
| Log collection |
Gather logs from servers, firewalls, endpoints |
| Event correlation |
Detect patterns across multiple sources |
| Alerting |
Notify on suspicious activity |
| Dashboarding |
Visualize security posture |
| Compliance |
Generate reports for frameworks (PCI-DSS, HIPAA, etc.) |
Wazuh Overview
What Is Wazuh?
Wazuh is a free, open-source security platform combining:
- SIEM (log analysis, correlation)
- IDS (intrusion detection)
- FIM (file integrity monitoring)
- Vulnerability detection (CVE scanning)
- Configuration assessment (CIS benchmarks)
- Compliance monitoring (GDPR, PCI-DSS, NIST)
Architecture
| Component |
Role |
Resource |
| Wazuh Manager |
Analysis, correlation, alerts |
2GB RAM, 2 CPU |
| Wazuh Indexer |
Log storage (OpenSearch fork) |
4GB RAM, 2 CPU |
| Wazuh Dashboard |
Web UI (OpenSearch Dashboards) |
1GB RAM, 1 CPU |
| Wazuh Agent |
Endpoint log collection |
35MB RAM, negligible CPU |
Cost
| Aspect |
Cost |
| Software |
$0 (GPL v2) |
| Support |
Community (free) or commercial (paid) |
| Hardware |
~$0 (runs in Docker/VM) |
| Storage |
~10GB for 3 months of logs (1 agent) |
Key Features
| Feature |
Wazuh |
| Log sources |
Syslog, agents, AWS, Azure, Docker |
| Detection rules |
1,000+ built-in (MITRE ATT&CK mapped) |
| File integrity |
Real-time FIM with whitelisting |
| Vulnerability DB |
100,000+ CVEs |
| CIS benchmarks |
100+ policies |
| Agent platforms |
Linux, Windows, macOS, BSD, Solaris |
| API |
REST API |
| Alerting |
Email, Slack, PagerDuty, webhooks |
| Active response |
Automatic blocking (firewall, hosts.deny) |
Splunk Overview
What Is Splunk?
Splunk is the dominant commercial SIEM and observability platform. It offers:
- Splunk Enterprise (self-hosted)
- Splunk Cloud (SaaS)
- Splunk Free (limited to 500MB/day ingestion)
Architecture
| Component |
Role |
| Forwarder |
Universal or heavy forwarder (log collection) |
| Indexer |
Stores and indexes logs |
| Search Head |
Web UI, search, dashboards |
| Deployment Server |
Manages forwarder configs |
Cost
| Edition |
Cost |
Limitations |
| Splunk Free |
$0 |
500MB/day, no auth, no distributed |
| Splunk Enterprise |
~$2,000/GB/year |
Perpetual or term license |
| Splunk Cloud |
~$2,500/GB/year |
SaaS, no infra management |
Example: 5GB/day logs = ~$10,000–$12,500/year
Key Features
| Feature |
Splunk |
| Log sources |
1,000+ integrations (Splunkbase) |
| Search language |
SPL (Splunk Processing Language) — extremely powerful |
| Dashboards |
Highly customizable |
| ML/AI |
Splunk Machine Learning Toolkit |
| Threat intel |
Enterprise Threat Intelligence |
| SOAR |
Splunk SOAR (automation) |
| App ecosystem |
2,000+ apps on Splunkbase |
Head-to-Head Comparison
| Feature |
Wazuh |
Splunk |
Winner |
| Cost |
Free |
$2,000+/GB/year |
Wazuh |
| Open source |
GPL v2 |
Proprietary |
Wazuh |
| Deployment ease |
Docker Compose (15 min) |
Complex (hours) |
Wazuh |
| Learning curve |
Moderate |
Steep (SPL) |
Wazuh |
| Enterprise features |
Basic |
Extensive |
Splunk |
| Search power |
Good (SQL-like) |
Excellent (SPL) |
Splunk |
| Dashboards |
Good (OpenSearch) |
Excellent (Splunk UI) |
Splunk |
| App ecosystem |
50+ integrations |
2,000+ apps |
Splunk |
| ML/AI detection |
Basic |
Advanced |
Splunk |
| Threat intelligence |
OSINT feeds |
Commercial TI |
Splunk |
| Scalability |
100–1,000 agents |
10,000+ endpoints |
Splunk |
| Community |
Active (r/Wazuh) |
Massive (Splunk .conf) |
Splunk |
| Career value |
Growing |
Industry standard |
Splunk |
| FIM |
Built-in, real-time |
Requires add-on |
Wazuh |
| Vulnerability detection |
Built-in |
Requires add-on |
Wazuh |
| CIS benchmarks |
Built-in |
Requires add-on |
Wazuh |
| Active response |
Built-in |
Requires SOAR |
Wazuh |
Docker Deployment
Wazuh Docker Compose
version: "3.8"
services:
wazuh-manager:
image: wazuh/wazuh-manager:4.7.0
container_name: wazuh-manager
hostname: wazuh-manager
ports:
- "1514:1514"
- "1515:1515"
- "514:514/udp"
- "55000:55000"
volumes:
- wazuh-api:/var/ossec/api/configuration
- wazuh-etc:/var/ossec/etc
- wazuh-logs:/var/ossec/logs
- wazuh-queue:/var/ossec/queue
- wazuh-var:/var/ossec/var
- wazuh-rules:/var/ossec/etc/rules
restart: unless-stopped
wazuh-indexer:
image: wazuh/wazuh-indexer:4.7.0
container_name: wazuh-indexer
hostname: wazuh-indexer
ports:
- "9200:9200"
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
- "bootstrap.memory_lock=true"
- "plugins.security.ssl.http.pemcert_filepath=/usr/share/wazuh-indexer/certs/indexer.pem"
- "plugins.security.ssl.http.pemkey_filepath=/usr/share/wazuh-indexer/certs/indexer-key.pem"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- wazuh-indexer-data:/var/lib/wazuh-indexer
restart: unless-stopped
wazuh-dashboard:
image: wazuh/wazuh-dashboard:4.7.0
container_name: wazuh-dashboard
hostname: wazuh-dashboard
ports:
- "5601:5601"
environment:
- "INDEXER_USERNAME=admin"
- "INDEXER_PASSWORD=SecretPassword"
- "WAZUH_API_URL=https://wazuh-manager"
volumes:
- wazuh-dashboard-certs:/usr/share/wazuh-dashboard/certs
depends_on:
- wazuh-indexer
- wazuh-manager
restart: unless-stopped
volumes:
wazuh-api:
wazuh-etc:
wazuh-logs:
wazuh-queue:
wazuh-var:
wazuh-rules:
wazuh-indexer-data:
wazuh-dashboard-certs:
Splunk Free Deployment
version: "3.8"
services:
splunk:
image: splunk/splunk:latest
container_name: splunk
environment:
- SPLUNK_START_ARGS=--accept-license
- SPLUNK_PASSWORD=*** ports:
- "8000:8000"
- "8088:8088"
- "9997:9997"
volumes:
- splunk-data:/opt/splunk/var
restart: unless-stopped
volumes:
splunk-data:
Note: Splunk Free is limited to 500MB/day. For more, you need a paid license.
Homelab Learning Value
Wazuh for Learning
| Skill |
What You Learn |
| SIEM operations |
Log analysis, correlation, alerting |
| MITRE ATT&CK |
Detection mapping to real techniques |
| File integrity |
FIM configuration and tuning |
| Vulnerability management |
CVE scanning, prioritization |
| Compliance |
CIS benchmarks, policy auditing |
| Incident response |
Alert triage, active response |
| Docker |
Multi-container orchestration |
| OpenSearch |
Search, indexing, dashboards |
Splunk for Learning
| Skill |
What You Learn |
| SPL |
Industry-standard search language |
| Enterprise SIEM |
How large organizations operate security |
| Dashboarding |
Advanced visualization |
| App development |
Splunk app creation |
| Career |
Resume value (Splunk is everywhere) |
When to Choose Wazuh
- Best for: Homelabbers, small businesses, budget-conscious users
- Ideal if: You want a fully functional SIEM at zero cost
- Strength: Free, FIM, vulnerability detection, active response, CIS benchmarks
- Tradeoff: Less enterprise polish, smaller app ecosystem
When to Choose Splunk
- Best for: Enterprise environments, career development, deep analytics
- Ideal if: You need to learn SPL for a security career
- Strength: SPL power, massive ecosystem, enterprise support
- Tradeoff: Prohibitively expensive for homelab use
Conclusion
Summary
For homelab use, Wazuh is the clear choice. It offers 90% of Splunk’s SIEM capabilities at zero cost, with built-in features (FIM, vulnerability detection, CIS benchmarks) that require expensive add-ons in Splunk. Splunk Free’s 500MB/day limit is too restrictive for a multi-device homelab.
Career tip: Learn Wazuh first (covers SIEM fundamentals), then study SPL with Splunk Free if targeting enterprise security roles.
Next Steps
- Deploy Wazuh via Docker Compose (see config above)
- Install agents on your homelab servers and workstations
- Enable MITRE ATT&CK rules in Wazuh Manager
- Read our Wazuh SIEM setup guide for advanced configuration
Affiliate Opportunities
- Mini PCs: Intel N100 for 24/7 Wazuh server
- Storage: SSDs for log retention
- Books: Security Engineering by Ross Anderson
- Courses: LetsDefend, Blue Team Labs Online
Internal Linking
wazuh-setup → wazuh-siem-setup.mddocker → docker-compose-yml-examples.mdmonitoring → docker-monitoring-grafana-prometheus.mdsecurity → homelab-security-monitoring.md
CTA
- Which SIEM runs your homelab? Wazuh, Splunk, or something else?
- Subscribe for homelab security guides and blue team tutorials.