Introduction
Seerflow is a streaming, entity-centric log intelligence agent that detects operational failures and security threats across log sources.
The Problem
Section titled “The Problem”Modern infrastructure generates millions of log events per day across dozens of sources — syslog, CloudWatch, GCP Logging, Azure Monitor, Kubernetes, and application logs. Existing tools either:
- Alert on individual log lines (noisy, miss context)
- Require complex query languages (slow, reactive)
- Use expensive LLMs for everything (cost-prohibitive at scale)
The Seerflow Approach
Section titled “The Seerflow Approach”Seerflow combines traditional ML (fast, cheap) for bulk detection with LLMs (accurate, explanatory) for edge cases:
| Layer | Technology | Purpose |
|---|---|---|
| Template extraction | Drain3 | Reduce millions of log lines to thousands of patterns |
| Anomaly detection | Half-Space Trees, Holt-Winters, CUSUM, Markov | Real-time online learning — no training phase |
| Auto-thresholds | DSPOT (EVT) | Self-tuning alert thresholds that adapt to drift |
| Security rules | pySigma (3,000+ SigmaHQ rules) | MITRE ATT&CK mapped detection |
| Correlation | Entity graph (igraph) | Cross-source, entity-centric threat detection |
| Root cause | LLM (optional) | Human-readable explanations for complex alerts |
Key Features
Section titled “Key Features”- Entity-centric: Events are linked to users, IPs, hosts, processes, files, and domains
- Streaming: Online learning algorithms that update with every event — no batch retraining
- Zero-config: SQLite backend works on first run; scale to PostgreSQL when needed
- Open source: Apache 2.0 license