v0.5.0 · NOW WITH LIVE ENTITY GRAPH

See what
single sources
can't.

Seerflow is a streaming, entity-centric log intelligence agent. Traditional ML for speed. LLMs for accuracy. One process — no JVM, no cluster, no SaaS lock-in.

Get started — 5 min ↗ View on GitHub
PyPI v0.5.0
tests 1,500+ passing
coverage 95%
license AGPL-3.0
~/seerflow ▸ live ● connected
$ pip install seerflow
$ seerflow start
INFO Seerflow 0.5.0 starting
INFO Receivers: syslog otlp-grpc otlp-http
INFO Sigma: 63 rules loaded · MITRE ATT&CK mapped
INFO Dashboard: http://127.0.0.1:8080
INFO Pipeline running — Ctrl+C to stop
WARN ANOMALY score=0.873 threshold=0.63
template: Failed password for <*> from <*>
entities: 10.0.1.42 root
WARN SIGMA ssh_brute_force [T1110.001]
tactic: credential-access
CRIT KILL-CHAIN 4 tactics in 12m → root@10.0.1.42
§ 02 Pipeline

One process. Seven layers.

Raw log to correlated alert in under 50ms. Bounded async queues with backpressure built in.

L1 Ingest
· OTLP gRPC
· File tail
· Syslog
· Webhooks
L2 Parse
· Drain3
· Regex mask
· Field extract
· Entity IDs
L3 Graph
· Resolution
· UUID5 IDs
· Build
· TTL prune
L4 Detect
· 4 ML models
· 63 Sigma rules
· Ensemble
· ATT&CK tags
L5 Correlate
· Temporal join
· Risk accum
· Graph struct
· Kill chain
L6 Alert
· Webhooks
· PagerDuty
· Slack/Teams
· Dedup
L7 Dashboard
· React UI
· REST · WS
· Entity viz
· Triage
Single process
All 7 layers in one binary. No JVM. No cluster.
Async queues
Bounded 10K items. Backpressure built in.
<50ms latency
Raw log to alert. Online ML per event.
Bundled dashboard
React UI on :8080. REST + WebSocket same port.
§ 03 Why Seerflow

Built for the things SIEMs miss.

Entity-centric
Links events across users, IPs, hosts, processes. Catches threats single-source tools miss.
Hybrid ML + LLM
Fast ML for bulk detection. LLMs for edge cases and root cause analysis.
Zero config
SQLite + WAL on first run. Scale to PostgreSQL with asyncpg pool when ready.
63 Sigma rules
Bundled SigmaHQ rules with MITRE ATT&CK mapping. Custom dirs + TAXII feeds.
Online learning
Half-Space Trees, Holt-Winters, CUSUM, Markov, biDSPOT auto-thresholds. No batch retraining.
AGPL · open
Python 3.11+. Built on msgspec, drain3, river, igraph, FastAPI, asyncpg.
§ 04 Comparison

vs. the rest.

Open-source competitors lack ML or correlation. Commercial ones lock features behind enterprise tiers or batch-only jobs.

Seerflow
Wazuh
Elastic SIEM
Datadog
Splunk
ML detection
4 ML + Sigma
Rules only
Platinum only
Watchdog
RBA
Cross-source corr.
Core feature
Cannot
Platinum only
Proprietary
Proprietary
Online learning
Per-event
N/A
Batch jobs
Batch
Batch
Single process
pip / Docker
Cluster
ES cluster
SaaS only
Heavy infra
Open source
AGPL-3.0
GPLv2
Partial
Proprietary
Proprietary
§ 05 See it in action

From zero to alerts in one command.

# install from PyPI
$ pip install seerflow
# zero-config run — SQLite, syslog + OTLP, dashboard
$ seerflow start
→ Dashboard  http://127.0.0.1:8080/
→ REST       http://127.0.0.1:8080/api/v1/
→ WebSocket  ws://127.0.0.1:8080/api/v1/ws
# or with a config file
$ seerflow --config seerflow.yaml start
# query stored events
$ seerflow query events --limit 10
# inspect bundled Sigma rules
$ seerflow rules list --tactic credential-access
# threat-hunt with natural language
$ seerflow hunt "ssh brute force from 10.0.1.42 in the last 24h"
# check version
$ seerflow --version
§ 06 Dig deeper

Continue reading.

Quick start
Get Seerflow running in under 5 minutes
Architecture
Pipeline, receivers, parsing, event model
Dashboard
Widgets, entity explorer, ATT&CK heatmap
Alerting
Email, SMS, PagerDuty, OTLP — with routing
LLM
Alert explanations, NL hunts, Sigma suggestions
REST + WebSocket
All endpoints under /api/v1
CLI reference
Every seerflow subcommand
Configuration
All seerflow.yaml settings