The Guide · v0.5.0 · Read start to finish or jump in
Welcome to the Seerflow Guide¶
Seerflow is a streaming, entity-centric log intelligence agent that detects operational failures and security threats across log sources. It combines traditional ML for bulk detection with LLMs for edge cases and root cause analysis.
See what single sources can't.
Who is this guide for?¶
Two reading paths — pick yours. Both end at the same place: a well-tuned Seerflow in production.
Path 01 Security Operator
Deploying or tuning Seerflow.
- Architecture — pipeline and data flow
- Detection Deep Dives — understand each detector
- Tuning Guide — reduce false positives
- Configuration Reference — every parameter
Path 02 SRE / DevOps
Running infra and wanting log intelligence.
- Ops Primer — operational intelligence concepts
- Architecture — how Seerflow processes logs
- Detection — anomaly detection for ops patterns
- Tuning Guide — reduce noise, focus on real issues
How Seerflow works¶
Eight stages, one process. Feedback from analyst response loops back into the detection thresholds.
Feedback loop H · Threshold adjustment ↩
| Component | Purpose |
|---|---|
| Receivers | Ingest logs from syslog, files, OTLP, webhooks |
| Parsing | Drain3 template extraction, field normalization |
| Entity Extraction | Identify IPs, users, hosts, processes, files, domains |
| Detection Ensemble | HST, Holt-Winters, CUSUM, Markov, DSPOT thresholds |
| Correlation | Sigma rules, temporal windows, kill chain, graph analysis |
| Alerting | Webhooks (Slack, Teams, PagerDuty), dedup, feedback |
Guide structure¶
Every concept page follows a three-layer structure:
Step 01 Theory
What it is, why it matters.
Step 02 Seerflow Implementation
How it's built, with code references.
Step 03 Practical Examples
Real scenarios, config samples, expected output.
Source code¶
Seerflow is open source under AGPL-3.0.