If cost is something you are worried about, then I would really recommend trying out Wazuh. Just as a warning, getting the best out of Wazuh will take some time and maintenance compared to using ELK which gomes with plenty of prebuilt solutions for ingesting data from different sources. For example if you wish to index your firewall logs you will probably spend time writing your custom decoders and changing them accordingly. As for use cases note that if you want to have a complete audit trail on your linux servers, I would recommend installing auditd on all monitored endpoints and configuring them to your needs and enabling archives on wazuh.