A $0 SIEM-lite: pg_cron + Cloudflare GraphQL + Resend
You do not need an enterprise logging tier to know when something is off. Three free parts, wired into a daily report and an hourly alarm.
Enterprise log pipelines are wonderful and, on a nonprofit budget, imaginary. Here is the monitoring I actually run, built from three free parts.
The parts
A scheduled database job (pg_cron) runs the queries. The Cloudflare GraphQL Analytics API is the free stand-in for Enterprise Logpush; it answers questions like how many challenges Turnstile issued and to whom. Resend delivers the mail.
Two jobs: a daily digest of bot activity, and an hourly anomaly check that names the offending user when a threshold trips.
Make the alarm trustworthy
An alert that cries wolf is worse than no alert. Two rules earn the trust: a
per-condition cooldown so a firing alarm does not page you sixty times an hour, and a
[DRILL] tag on any test so a rehearsal is never mistaken for the real thing.
The goal is not more alerts. It is alerts you still believe at 3 a.m.