Working at an MSP means wearing many hats. One moment you’re troubleshooting a basic computer issue; the next you’re architecting secure, multi-site network infrastructure; then you’re hunting threats to keep clients safe from the latest attacks.
To keep everything running smoothly, you need constant visibility into security and network operations. At my company, we use a combination of XDR, NDR, and EDR platforms to surface data that would otherwise stay hidden. But the real magic? A well-implemented open-source SIEM (Security Information and Event Management) system.
While most MSPs already rely on RMM, EDR, and cloud platforms for remote infrastructure management, a SIEM takes visibility to another level. By unifying and standardizing your source of truth, a SIEM lets technicians and engineers respond to incidents before clients ever notice downtime.
What is a SOC/NOC and Why Does It Matter?
This unified approach is the central idea behind a SOC (Security Operations Center) and NOC (Network Operations Center). It’s a one-stop shop for answering a simple but critical question: Is my infrastructure behaving the way I intend it to?
Building a reliable, scalable SIEM stack is essential for MSPs looking to deliver real peace of mind. As for software selection, I prefer open-source tools. They keep costs down for clients and represent the bleeding edge of innovation—software with strong community backing tends to evolve quickly and stay relevant.
Recommended Open-Source SIEM Stack
For the core SIEM infrastructure, I recommend:
- Wazuh – SIEM platform with built-in log normalization and threat detection
- OpenSearch – Scalable log storage and search engine
- OpenSearch Dashboards – SOC-focused visualization and alerting
- Grafana – NOC dashboards for infrastructure and performance monitoring
This stack becomes your central brain—receiving, correlating, and visualizing all telemetry across your client environments.
Data Ingestion: Connecting Your Log Sources
A unified SIEM should collect events from every critical system. Here’s what a comprehensive setup looks like:
Endpoint Detection (EDR)
Platforms like SentinelOne provide threat detections, behavioral AI events, EDR telemetry, and remediation logs—all of which should flow into your SIEM for correlation.
RMM Platforms
NinjaOne and similar tools generate NMS alerts, resource monitoring data, script execution results, patch status, and inventory changes. Many also support webhook integrations for ticket updates.
Firewalls and Network Security
Whether you’re running pfSense, OPNsense, SonicWall, or another platform, you should ingest syslog data, IDS/IPS events from Suricata or Snort, VPN connection logs, and firewall allow/block events.
Servers and Endpoints
On the server side, collect Windows Event Logs, Sysmon telemetry, Linux authentication logs, and file integrity monitoring events. These provide the forensic depth needed for incident response.
Cloud Platforms
Don’t forget cloud visibility. Microsoft 365 audit logs, Entra ID (formerly Azure AD) sign-in events, OAuth app alerts, and Exchange/SharePoint activity logs should all feed into your SIEM.
Bringing It All Together
Once these data sources are connected, your SIEM normalizes and correlates events across the entire stack. Wazuh handles detection rules and alerting. OpenSearch stores and indexes everything for fast querying. OpenSearch Dashboards gives your SOC team security-focused views, while Grafana provides NOC dashboards for uptime, performance, and infrastructure health.
The result? A single pane of glass that answers the question every MSP client is really asking: Is everything okay?
Building out your own MSP SOC/NOC stack? I’d love to hear what tools you’re using. Reach out—let’s compare notes.