watch.withflit.app — v0.1.0-alpha · on-prem · syslog SIEM

Every systemleaves marks.Read them.

Flit Watch is a local syslog receiver and SIEM for developers, security engineers, and students. Ingest, parse, correlate, and inspect every log event in real time — running entirely on your own machine, with nothing sent to the cloud.

Scroll to explore
What Watch does

A full SIEM in
one static binary.

01
Ingestion
Multi-format Log Ingestion

Accept syslog events over UDP, TCP, and TLS on standard ports. Parse every industry-standard format automatically — RFC 3164, RFC 5424, CEF 1.0, and raw text — with zero configuration.

RFC 3164 (BSD syslog)
RFC 5424 (IETF syslog)
CEF 1.0 (ArcSight)
Raw text fallback
UDP · TCP · TLS transport
02
Correlation
Sliding-Window Rules

Define regex-based correlation rules that fire when patterns exceed a count threshold within a time window. Six built-in rules cover brute force, port scans, privilege escalation, and more — or write your own.

6 built-in threat patterns
Custom regex rules
Configurable time windows
Webhook alert delivery
03
Testing
Synthetic Event Injection

Don't wait for real attacks to test your detection rules. The injector lets you fire pre-built attack scenarios — SSH brute force, port scans, lateral movement — directly into the event stream, so you can validate every rule before it matters.

Attack scenario library
Custom event injection
Rule coverage validation
Download

Up in 30 seconds.
No install required.

A single static binary — no runtime, no dependencies, no config. Download for your platform and run.

Quick start — Linux / macOS
$ chmod +x flit-watch-linux-amd64
$ sudo ./flit-watch-linux-amd64
✓ Listening · UDP :514 · TCP :514 · TLS :6514
✓ Dashboard → http://localhost:5514
Use --udp-port 5514 --http-port 5515 to avoid root on Linux.
All releases on GitHub →
v0.1.0-alphaMIT licenseCGO_ENABLED=0
How it works

From mark to meaning
in minutes.

1
Download and run
One static binary — no dependencies, no install, no config files. Works on Linux, macOS, and Windows out of the box.
./flit-watch --http-port 5514
2
Point your syslog at it
Configure your systems to forward syslog to localhost:514. UDP, TCP, and TLS are all supported. Or inject synthetic events from the terminal to test your rules.
echo '<13>May 14 10:00:00 host app: hello' | nc -u -w1 127.0.0.1 514
3
Watch events stream in real time
Every log event is parsed, enriched, and displayed in the live stream — with severity, facility, host, and app extraction. Filter, search, and inspect any event in detail.
http://localhost:5514
4
Build correlation rules, get alerts
Define regex-based rules that trigger when patterns exceed thresholds in a sliding window. Six built-in rules cover the most common attack patterns — or write your own.
BRUTE_FORCE — 5 matches in 60s → ALERT
flit-watch · UDP :514 · TCP :514 · receiving
LIVE·48 EPS·14,382 events·7 alerts
By the numbers
0
Ring buffer capacity
configurable via --max-events
0
Log formats parsed
RFC3164 · RFC5424 · CEF · Raw
0
Built-in correlation rules
ready to catch threats
0
To your first parsed event
from download to streaming

Every system
leaves marks.
Start reading.

No cloud. No account. No config files. One binary, one command — and every log event your systems emit is right in front of you.

Download Watch →View on GitHub

Open source · MIT license · ~10 MB · Linux · macOS · Windows