Thank you for the post. The ELK stack is currently used successfully in many SIEM implementations. However, the right solution for you is going to depend on several factors that are specific to your requirements, such as these:
What is your motivation for implementing SIEM? Regulatory Compliance? Threat Detection? Incident Response? All of the above?
Are you willing and able to host the SIEM systems in your own data center? Or would you rather use cloud-hosted service for your SIEM?
Do you have staff that is trained at implementing and operating a SIEM? Do you have an existing security operations center (SOC)? Do you have a security incident response team in place?
Are you able to install and maintain agents on your 300 systems? Is there already a security agent (EPP or EDR) installed? Are these systems connected to your local network? Or available only over the Internet?
300 routers seems like a large number. Are these tied 1:1 to your 300 systems? Is there a third-party managing these routers? Do you have the ability to get logs and/or telemetry from these routers?
These are just a few of the very basic questions needed to make a SIEM recommendation. In the end, you may need some custom consulting to help you pick the right solution architecture for your SIEM.
After you've decided upon your approach to SIEM, you might find some of these blogs helpful to inform you about Elastic's SIEM solution:
- Introducing Elastic SIEM
- Elasticsearch Cybersecurity at the home of the World's Fastest Supercomputer
- Alerting in the Elastic Stack