Skip to content
Seerflow 
$ pip install seerflow
$ seerflow start
INFO  Seerflow 0.3.0 starting
INFO  Receivers: syslog, otlp-grpc, otlp-http
INFO  Sigma: 63 rules loaded
INFO  Pipeline running — Ctrl+C to stop

WARN  ANOMALY score=0.87 threshold=0.63
WARN    template: Failed password for <*> from <*>
WARN    entities: 10.0.1.42, root
WARN  SIGMA ssh_brute_force [T1110.001]
WARN    tactic: credential-access

Seerflow

Detect operational failures and security threats across all your log sources. Traditional ML for speed, LLMs for accuracy.
Get Started View on GitHub
PyPIGitHubTestsCoveragePythonLicense

How it works

Section titled “How it works”

End-to-End: Raw Log → Correlated Alert

L1
INGEST
  • OTLP gRPC
  • File tail
  • Syslog
  • Webhooks
L2
PARSE
  • Drain3
  • Regex mask
  • Field extract
  • Entity IDs
L3
GRAPH
  • Resolution
  • UUID5 IDs
  • Graph build
  • TTL prune
L4
DETECT
  • 4 ML models
  • 63 Sigma rules
  • Ensemble
  • ATT&CK tags
L5
CORRELATE
  • Temporal join
  • Risk accum
  • Graph struct
  • Kill-chain
L6
ALERT
  • Webhooks
  • PagerDuty
  • OTLP export
  • Feedback
L7
DASHBOARD
  • React UI
  • Entity viz
  • Live stream
  • Alert mgmt
Single ProcessAll 7 layers in one process. No JVM. No cluster.
Async QueuesBounded 10K items. Backpressure built in.
<50ms LatencyRaw log to alert. Online ML per event.

Why Seerflow?

Section titled “Why Seerflow?”

Entity-Centric

Links events across users, IPs, hosts, and processes. Catches threats that single-source tools miss.

Hybrid ML + LLM

Fast ML for bulk detection. LLMs for edge cases and root cause analysis. Best of both worlds.

Zero Config

SQLite storage, WAL mode. Works on first run — no database setup. Scale to PostgreSQL when ready.

63 Sigma Rules

Bundled SigmaHQ rules with MITRE ATT&CK mapping. Custom rule directories supported.

Online Learning

Streaming pipeline with Half-Space Trees and biDSPOT auto-thresholds. No batch retraining.

Open Source

AGPL-3.0 licensed. Python 3.13+. Built on msgspec, drain3, river, and aiosqlite.

Seerflow vs. the rest

Section titled “Seerflow vs. the rest”
ToolML DetectionCross-Source CorrelationOnline LearningSingle ProcessOpen Source
Seerflow 4 ML + Sigma Core feature Per-event pip/Docker AGPL-3.0
Wazuh Rules only Cannot N/A Cluster GPLv2
Elastic SIEM Platinum only Platinum only Batch jobs ES clusterPartial (AGPL)
Datadog Watchdog Proprietary Batch SaaS only Proprietary
Splunk RBA Proprietary Batch Heavy infra Proprietary

See it in action

Section titled “See it in action”
Terminal window
# Install from PyPI
pip install seerflow


# Run with zero config — SQLite, syslog, OTLP receivers
seerflow start


# Or with a config file
seerflow --config seerflow.yaml start


# Query stored events
seerflow query events --limit 10


# Check version
seerflow --version
Quick Start Get Seerflow running in under 5 minutes
Configuration All seerflow.yaml settings