Introduction
Seerflow is a streaming, entity-centric log intelligence agent that detects operational failures and security threats across log sources.
The Problem
Section titled “The Problem”Modern infrastructure generates millions of log events per day across dozens of sources — syslog, CloudWatch, GCP Logging, Azure Monitor, Kubernetes, and application logs. Existing tools either:
- Alert on individual log lines (noisy, miss context)
- Require complex query languages (slow, reactive)
- Use expensive LLMs for everything (cost-prohibitive at scale)
The Seerflow Approach
Section titled “The Seerflow Approach”Seerflow combines traditional ML (fast, cheap) for bulk detection with LLMs (accurate, explanatory) for edge cases:
| Layer | Technology | Purpose |
|---|---|---|
| Ingestion | OTLP gRPC/HTTP, syslog, file tail, webhooks | Multi-source streaming intake |
| Template extraction | Drain3 | Reduce millions of log lines to thousands of patterns |
| Anomaly detection | Half-Space Trees, Holt-Winters, CUSUM, Markov | Real-time online learning — no training phase |
| Auto-thresholds | biDSPOT (EVT) | Self-tuning alert thresholds that adapt to drift |
| Security rules | pySigma (63 bundled rules, custom dirs) | MITRE ATT&CK mapped detection |
| Correlation | Entity graph (igraph / FalkorDB / Postgres+AGE) | Cross-source, entity-centric threat detection |
| Risk + kill-chain | Per-entity risk register, ATT&CK tactic progression | Slow-burn, multi-step attack detection |
| UEBA | Per-user/host baselines | Behavioural anomaly scoring |
| Threat intel | TAXII feeds + Bloom-filter IoC matcher | Cross-reference logs against external indicators |
| Root cause | LLM (llamacpp / Ollama / cloud) | Human-readable explanations for complex alerts |
| Surface | React dashboard, REST API, WebSocket stream | Triage, search, live tail |
Key Features
Section titled “Key Features”- Entity-centric: Events are linked to users, IPs, hosts, processes, files, and domains via deterministic UUID5 IDs
- Streaming: Online learning algorithms that update with every event — no batch retraining
- Zero-config: SQLite backend works on first run; scale to PostgreSQL with an asyncpg pool when needed
- Bundled dashboard: React UI + REST + WebSocket served from a single process on port 8080
- Open source: AGPL-3.0 license, Python 3.11+