Entity-Centric
Links events across users, IPs, hosts, and processes. Catches threats that single-source tools miss.
$ python -m seerflow
INFO SQLite storage ready (WAL mode)
INFO Syslog receiver on :514
INFO OTLP receiver on :4317
INFO Dashboard on :8080
INFO Loaded 3,247 Sigma rules
INFO Pipeline ready — 0 → 10K events/sec
WARN [entity:192.168.1.42] anomaly score 0.87
ALERT [sigma] Brute force detected (T1110)
ALERT [ml] Volume spike on auth.log (+340%)Seerflow
Detect operational failures and security threats across all your log sources. Traditional ML for speed, LLMs for accuracy.
How it works
Section titled “How it works”End-to-End: Raw Log → Correlated Alert
L1
INGEST
INGEST
- OTLP gRPC
- File tail
- Syslog
- Webhooks
L2
PARSE
PARSE
- Drain3
- Regex mask
- Field extract
- Entity IDs
L3
GRAPH
GRAPH
- Resolution
- UUID5 IDs
- Graph build
- TTL prune
L4
DETECT
DETECT
- 4 Ops dets
- 5 Sec dets
- Ensemble
- SPOT thresh
L5
CORRELATE
CORRELATE
- Temporal join
- Risk accum
- Graph struct
- Kill-chain
L6
ALERT
ALERT
- Webhooks
- PagerDuty
- OTLP export
- Feedback
L7
DASHBOARD
DASHBOARD
- React UI
- Entity viz
- Live stream
- Alert mgmt
Single ProcessAll 7 layers in one process. No JVM. No cluster.
Async QueuesBounded 10K items. Backpressure built in.
<50ms LatencyRaw log to alert. Online ML per event.
Why Seerflow?
Section titled “Why Seerflow?”Hybrid ML + LLM
Fast ML for bulk detection. LLMs for edge cases and root cause analysis. Best of both worlds.
Zero Config
SQLite storage, WAL mode. Works on first run — no database setup. Scale to PostgreSQL when ready.
3,000+ Sigma Rules
SigmaHQ integration with MITRE ATT&CK mapping. Security detection out of the box.
10K+ Events/sec
Streaming pipeline with online learning. No batch retraining. Real-time alerting.
Open Source
Apache 2.0 licensed. Python 3.13+. Built on msgspec, aiosqlite, and igraph.
Seerflow vs. the rest
Section titled “Seerflow vs. the rest”| Tool | ML Detection | Cross-Source Correlation | Online Learning | Single Process | Open Source |
|---|---|---|---|---|---|
| Seerflow | ✓ 9 detectors | ✓ Core feature | ✓ Per-event | ✓ pip/Docker | ✓ AGPL-3.0 |
| Wazuh | ✗ Rules only | ✗ Cannot | ✗ N/A | ✗ Cluster | ✓ GPLv2 |
| Elastic SIEM | ✗ Platinum only | ✗ Platinum only | ✗ Batch jobs | ✗ ES cluster | Partial (AGPL) |
| Datadog | ✓ Watchdog | ✓ Proprietary | ✗ Batch | ✗ SaaS only | ✗ Proprietary |
| Splunk | ✓ RBA | ✓ Proprietary | ✗ Batch | ✗ Heavy infra | ✗ Proprietary |
See it in action
Section titled “See it in action”# Clone and installgit clone https://github.com/seerflow/seerflow.gitcd seerflow && uv sync
# Run with zero config — SQLite, syslog, OTLP, dashboarduv run python -m seerflow
# Or with a config fileuv run python -m seerflow --config seerflow.yaml
# Run tests (201 tests, 97% coverage)uv run pytest --cov -v Quick Start Get Seerflow running in under 5 minutes
Architecture Understand the processing pipeline