Wazuh and Elastic SIEM are both free, open-source, and deployable in Docker within an afternoon. The question is not which one is better in the abstract; it is which one fits where you are in your career right now.
If you are building your first security lab and want pre-built detection rules out of the box, start with Wazuh. If you already have some log analysis experience and want to build custom detection logic, Elastic SIEM gives you more control. This guide shows you exactly how to spin up each one in Docker, what you will get, and where beginners trip up.
Wazuh vs Elastic SIEM: What Each One Actually Does
Wazuh is an open-source XDR and SIEM platform that maintains its own indexer and dashboard. It ships with 3,000+ pre-built detection rules mapped to the MITRE ATT&CK framework, built-in file integrity monitoring, and agent-based log collection for Windows, Linux, and macOS. The default Docker deployment pulls around 4 GB of images and runs on 8 GB RAM minimum.
Elastic SIEM is a detection engine inside the Elastic Stack. You get Elasticsearch for storage, Kibana for dashboards, and the Security app for alert management. It does not collect logs for you; you pipe data in via Elastic Agent or Logstash. The power is in the query language (KQL and EQL) and the flexibility to build detection rules from scratch. Minimum spec for a single-node lab: 8 GB RAM, 4 vCPUs.
Both are genuinely zero-cost for self-hosted use. Wazuh is Apache 2.0 licensed. Elastic has open-source components under SSPL and Elastic License 2.0, but the SIEM features you need for a lab are all available in the free tier. If you are working through the concepts covered in a cybersecurity home lab setup, either platform fits without paying anything.
Docker Setup: Wazuh in Under 20 Minutes
Wazuh publishes an official Docker Compose file that stands up the manager, indexer, and dashboard in a single command. Clone the repository from github.com/wazuh/wazuh-docker, copy the .env file from the single-node directory, and run docker-compose up -d. The dashboard becomes available at https://localhost with default credentials admin/SecretPassword. Change these immediately.
The agent side is where Wazuh earns its reputation for beginner-friendliness. You enroll agents directly from the dashboard UI, and within minutes you have Windows Event Logs, syslog, and authentication events flowing in with severity scores already applied. For anyone comparing this against the broader SIEM tools available in 2026, the time-to-first-alert is genuinely faster with Wazuh than with any self-assembled stack.
Docker Setup: Elastic SIEM in About an Hour
Elastic provides a Docker Compose quick-start on their documentation site. Before starting, you must set the vm.max_map_count kernel parameter to 262144, or Elasticsearch will refuse to run. The command is: sudo sysctl -w vm.max_map_count=262144. Forget this step and you will spend 30 minutes reading cryptic JVM errors.
Once the stack is running (Elasticsearch on port 9200, Kibana on 5601), install Elastic Agent on a host, create an Agent Policy in Fleet, and assign the Endpoint and System integrations. Data starts flowing. Then enable detection rules inside the Security app. Elastic ships around 800 pre-built rules, but many require tuning before they produce useful signal rather than noise. The learning curve is steeper, but the payoff for analysts who want to build custom EQL correlation logic is also real.
Which One Should a Junior Analyst Pick First
Pick Wazuh if you want to spend your time learning detection and response rather than infrastructure debugging. Pick Elastic SIEM if your target role involves Elastic-heavy environments, common in UK MSSPs and financial services SOCs, or if you want to build the query skills that feature heavily in every cybersecurity career path for 2026.
Running both in parallel on the same Docker host is possible with enough RAM (16 GB+), and doing exactly that is one of the most effective ways to understand how the two platforms handle the same log source differently.
Common Questions About SIEM Docker Lab Setup
Can Wazuh and Elastic SIEM run on the same Docker host?
Yes, but not comfortably below 16 GB RAM. Each platform needs at least 8 GB under load. On a 16 GB host, run one at a time for stable performance, or size up your lab machine before running them simultaneously.
Does Wazuh require a license for lab use?
No. Wazuh is fully open-source under the Apache 2.0 license. There is a commercial cloud offering, but the self-hosted Docker deployment has no feature limits or agent caps for personal lab environments.
What is the minimum Docker host spec for Elastic SIEM?
Elastic recommends 8 GB RAM and 4 vCPUs for a single-node lab deployment. In practice, Elasticsearch consumes 4 to 5 GB of heap on its own. A machine with 16 GB RAM gives you room to run agents alongside the stack without constant performance issues.
Do Wazuh detection rules map to MITRE ATT&CK automatically?
Yes. Wazuh ships with over 3,000 rules and the majority include MITRE ATT&CK tactic and technique tags. The dashboard lets you filter alerts by tactic, which makes it practical for studying attack chains without any additional configuration.