Operations Guide¶
Everything you need to deploy, configure, and run Seerflow in production.
Prerequisites¶
Before starting Seerflow, ensure you have:
- Python 3.11+ installed
- uv package manager (install guide)
- Seerflow installed:
uv pip install seerflow - A configuration file (
seerflow.yaml) — see Configuration Reference for all options
Quick Start¶
# 1. Create a minimal config (or copy the example)
cat > seerflow.yaml << 'EOF'
storage:
backend: sqlite
receivers:
syslog_enabled: true
otlp_grpc_enabled: true
detection:
hst_window_size: 1000
dspot:
risk_level: 0.0001
EOF
# 2. Start the pipeline
seerflow start
# 3. Verify it's running
seerflow query health
Seerflow starts with sensible defaults — no config file is needed for a first run. The pipeline will listen on syslog (UDP 514, TCP 601) and OTLP (gRPC 4317, HTTP 4318) by default.
Reading Order¶
| Audience | Recommended path |
|---|---|
| Security operator | Alerting → Configuration → CLI → Tuning |
| Platform engineer | Storage → Configuration → Testing → Tuning |
Section Overview¶
| Page | What you'll learn |
|---|---|
| Alerting & Feedback | Alert lifecycle, webhook sinks (Slack/Teams/JSON), OTLP export, PagerDuty, TP/FP feedback loop |
| Storage Layer | Protocol interfaces, SQLite backend (WAL, FTS5), PostgreSQL migration, model persistence |
| Tuning Guide | False positive reduction, per-detector tuning, correlation tuning, performance budgets |
| Testing & Validation | Quality gates, test structure, LANL dataset validation, custom rule testing |
| Configuration Reference | Every YAML parameter with type, default, and description |
| CLI Reference | All 5 subcommands: start, tail, import, query, feedback |