Skip to content

Welcome to the Seerflow Guide

Seerflow is a streaming, entity-centric log intelligence agent that detects operational failures and security threats across log sources. It combines traditional ML for bulk detection with LLMs for edge cases and root cause analysis.

See what single sources can't.

Who is this guide for?

Choose your path

New to security tooling? Start here:

  1. Security Concepts Primer — learn the fundamentals
  2. Architecture Overview — how Seerflow works
  3. Detection Overview — what Seerflow detects
  4. Operations Guide — running Seerflow

Deploying or tuning Seerflow? Go here:

  1. Architecture — pipeline and data flow
  2. Detection Deep Dives — understand each detector
  3. Tuning Guide — reduce false positives
  4. Configuration Reference — every parameter

Extending Seerflow? Start with:

  1. Architecture — system internals
  2. Entity Graph — graph data model
  3. Detection Internals — add detectors
  4. Testing Guide — quality gates

How Seerflow Works

graph TD
    A[Log Sources] --> B[Receivers]
    B --> C[Parsing & Drain3]
    C --> D[Entity Extraction]
    D --> E[Detection Ensemble]
    E --> F[Correlation Engine]
    F --> G[Alerting]
    G --> H[Feedback Loop]
    H -->|Threshold Adjustment| E
Component Purpose
Receivers Ingest logs from syslog, files, OTLP, webhooks
Parsing Drain3 template extraction, field normalization
Entity Extraction Identify IPs, users, hosts, processes, files, domains
Detection Ensemble HST, Holt-Winters, CUSUM, Markov, DSPOT thresholds
Correlation Sigma rules, temporal windows, kill chain, graph analysis
Alerting Webhooks (Slack, Teams, PagerDuty), dedup, feedback

Guide Structure

Every concept page follows a three-layer structure:

  1. Theory — what it is, why it matters
  2. Seerflow Implementation — how it's built, code references
  3. Practical Examples — real scenarios, config samples, expected output

Source Code

Seerflow is open source: github.com/seerflow/seerflow