📊 SIEM & log management
Security Onion
All-in-one network security monitoring distribution: Suricata, Zeek, Wazuh, ELK and more.
Why use it
Security Onion bundles a complete NSM (network security monitoring) stack into a single installer: Suricata for IDS, Zeek for protocol metadata, Wazuh for endpoints, plus a unified analyst console. Heavy, but the most production-shaped homelab option there is.
What you get
- Suricata IDS with pre-tuned rule packs
- Zeek protocol logs for retrospective hunting
- Wazuh-based endpoint visibility
- Stenographer or Arkime for full-packet capture (optional)
- Hunt and Cases applications for analyst workflow
System requirements
| Cpu | 8 cores |
|---|---|
| Ram | 16 GB minimum, 32 GB+ recommended |
| Disk | 200 GB+ (SSD strongly recommended) |
| Os | Dedicated Linux host (Ubuntu/Oracle/RHEL family) |
| Docker | No |
Installation
Boot from the Security Onion ISO or run the network installer on a clean Linux host: sudo bash so-setup-network. Choose Standalone for a homelab — Distributed is for multi-node enterprise deployments. Plan one NIC for management, another for SPAN/mirror traffic.
Suggested configuration
Front-end Snort or Suricata rules using ET Open free ruleset. Disable noisy rule categories (policy violations, info) until you can triage signal. Configure a SPAN port on your switch or a mirror filter on a TAP to feed Suricata interesting traffic only — not the whole link.
Integration ideas
- Forward Wazuh alerts upstream to a separate dashboard
- Send Suricata + Zeek to a remote MISP/TheHive lab
- Feed Arkime PCAPs from the same SPAN tap
Alternatives
- Wazuh + Suricata DIY — Lighter, more configurable, but you wire it yourself.
- SELKS — Suricata-focused alternative, lighter than SO.
Cyentrix verdict
The fastest way to feel like you have a real SOC at home — and the heaviest. Plan dedicated hardware (a 32 GB mini PC or repurposed server) and a SPAN port; don't try this on a shared box.