Built for compliance with Thailand's Computer Crime Act §26

Centralize every log
from every device intelligently

SRAN Metalog is a single Log Management Platform that ingests, stores, searches, and analyzes logs from every source in your environment Windows Event Log, Syslog, network appliances, applications, and more on one fast, secure, and cost-efficient architecture.

Start free trial → See how it works
sran.metalog · /overview · live
SRAN Metalog Overview dashboard
/ Features

Built for everything Operations, Security, and Compliance teams need

Shaped by real-world experience running infrastructure in regulated industries easy to install, easy to operate, scales with your organization.

Multi-Source Ingestion
Receive Syslog, Windows Event Log, JSON, and file-based logs from network appliances, servers, and applications concurrently on a single listener.
SNMP Trap Receiver
Native SNMPv1 / v2c / v3 trap listener on UDP/162 ingests unsolicited alerts from switches, routers, firewalls, UPS, printers, and environmental sensors. Bundled MIB resolution translates numeric OIDs into human-readable events (linkUp, linkDown, coldStart, authFail) before they hit the index so you can search "interface=Gi0/24" instead of decoding ".1.3.6.1.2.1.*" by hand.
Zstd Compression 90% smaller
Streaming Zstandard compression cuts storage by 90% on average, with per-file SHA-256 hashes for tamper-evident integrity.
Millisecond Search
DuckDB-backed indexing returns results across millions of historical records in under a second, with shareable saved queries for your team.
Real-time Alerting
Build alert rules from MITRE ATT&CK techniques, thresholds, or patterns. Deliver to Email, Webhook, LINE Notify, or downstream Syslog.
Forwarding & Cluster
Forward logs downstream to existing SIEMs with built-in buffering that survives network outages, and run multi-node clusters for high availability.
Hybrid PQC Forwarding
Ship logs between sites and downstream SIEMs over a hybrid post-quantum TLS tunnel that combines classical X25519 with ML-KEM-768 (NIST FIPS 203). Protects in-transit traffic against both today's attackers and harvest-now-decrypt-later quantum threats, and is configurable per forwarding destination without rewriting the existing pipeline.
Enterprise Authentication
Local accounts with TOTP 2FA, LDAP / Active Directory, and OAuth 2.0 (Google, Microsoft, GitHub) backed by a full per-user audit trail.
/ AI Assist

Turn raw log noise into human-readable insight

Built-in AI Log Analysis reads millions of raw events and produces a plain-language brief what happened, what matters, and what to do next so on-call engineers and auditors don't have to grep through gigabytes of unstructured text by hand.

sran.metalog · /analyze · ai-summary · live
AI Log Analysis window 2026-05-17 02:00 → 14:32 · 1,842,917 events scanned
Event Summary 3 findings
  • SSH brute force from 198.51.100.42 47 failed logins targeting root and admin across 4 bastion hosts between 02:14–02:38 UTC. No successful authentication.
  • Outbound DNS to C2 candidate Firewall logged 127 queries from app-12 to *.evilcdn.io within a 9-minute window matches a recent IOC feed entry.
  • Database CPU saturation Postgres on db-prod-2 sustained >92% CPU for 11 minutes; correlates with a malformed report query from analytics-api.
Security Issues 2 critical
  • MITRE T1110 · Brute Force Critical credential-stuffing pattern detected. Same source IP previously hit dev-1 last Friday; recommend immediate blocklist.
  • MITRE T1071 · Application Layer Protocol Critical beaconing-like DNS resolution from app-12. Review parent process tree on host before further triage.
  • Stale TLS certificate Warning vpn.corp.local certificate expires in 6 days; renewal not yet scheduled.
Recommendations 3 actions
  • Block 198.51.100.42 at edge firewall Apply 24-hour blocklist and propagate to all bastion ACLs. Notify SOC #alerts channel.
  • Enforce SSH key-only on bastions Disable password auth fleet-wide and rotate any service account that authenticated since 2026-05-10.
  • Quarantine app-12 Move host to the isolation VLAN, capture a memory image, and review parent processes before re-attaching.
Runs on-prem against your own log index no raw data leaves the appliance. model: pluggable LLM · local or BYO API key
/ Administration

Tune the platform from a built-in Settings panel

Operators don't need a separate management console site-wide configuration, forwarder buffering, cluster topology, and time synchronization all live inside Metalog itself, exposed through a single Settings tree.

sran.metalog · /settings
General ค่า site-wide เช่น ชื่อระบบ, timezone, locale, default retention, log volume thresholds และ alert defaults ปรับครั้งเดียวมีผลทั้ง cluster โดยไม่ต้องแก้ไฟล์ config ทีละเครื่อง
Log Forward and Buffer กำหนด queue size, retry policy และ batch interval สำหรับการส่ง log ออกไป downstream SIEM เมื่อปลายทาง offline ชั่วคราว buffer จะเก็บ event ไว้ใน memory + disk แล้ว flush ต่อเมื่อกลับมาออนไลน์ ไม่ทำให้ pipeline หล่นข้อมูล
HA Cluster กำหนด topology ของ cluster เพิ่ม/ลด node, จัด role primary & replica, sync state ข้าม node เพื่อ high availability ระบบยังรับ log ต่อได้แม้มี node ใด node หนึ่ง offline เพื่อ maintenance
Time Server ตั้ง NTP upstream ของระบบ พร้อม status การ sync สำคัญสำหรับ Computer Crime Act §26 ที่กำหนดให้ timestamp ของ log ต้องเทียบกับเวลามาตรฐานประเทศได้
/ Benefits

Lower cost, stronger security, painless compliance

01
90%
smaller log footprint

Cut your storage spend

With Zstd compression, 1 TB of raw logs compresses to ~100 GB. Keep 90 days of history on a single disk no extra NAS investment required.

02
§26
Computer Crime Act

Aligned with Thai regulation

Retain logs for 90+ days per statute, with tamper-evident hashing and a downloadable audit trail your inspectors can verify in seconds.

03
< 1s
to search 1M records

Respond to incidents faster

SOC analysts pivot through historical logs in seconds during an active incident shorter MTTR, smaller blast radius, fewer escalations.

04
100%
end-to-end visibility

See every signal in one place

Endpoint, network, application, and honeypot logs converge in a single index giving you the complete attack story rather than scattered fragments.

/ How it works

From ingestion to dashboard in 4 streaming stages

Everything runs as continuous streams no batch waits. Logs arriving now show up on the dashboard within seconds.

01
Ingest
Listeners accept UDP / TCP / TLS Syslog, Windows Event Log forwarders, SNMP traps on UDP/162, and files via rsyslog imfile.
02
Compress & Hash
Streams are Zstd-compressed in memory, written to disk as .metalog files, and registered with a SHA-256 hash.
03
Index
A background indexer scans new files every 30 seconds, splits records into DuckDB, and auto-extracts key fields.
04
Display & Alert
Dashboards update live; the alert engine evaluates rules every 60 seconds and the forwarder ships events to downstream destinations.
/ Product Tour

A look inside actual screens from the running platform

These are not mockups. Every screen below is captured straight from the product UI same dashboards your operators will use after install.

sran.metalog · /hosts
Log Sources Hosts
sran.metalog · /query
Search flexible log query
sran.metalog · /raw
Archive raw .metalog files by date
sran.metalog · /reports
Reports EPS, storage, top hosts
sran.metalog · /monitor
System Monitor CPU, RAM, disk, services

Ready to rethink the way your organization handles logs?

Try SRAN Metalog free for 30 days no credit card required. Our team will help with installation and basic operator training.

Request a Demo → See all features
/ Contact

Talk to us from sizing to production rollout

Address

SRAN CyberTech
48/6 ซอยแจ้งวัฒนะ 14 แขวงทุ่งสองห้อง
เขตหลักสี่ กรุงเทพมหานคร 10210

Phone

02-982-5445
02-982-5454
063-080-5004

Email

info@sran.net

Connect

Distribution Partner

บริษัท ทูนาเบิล โปรเจค จำกัด

Phone
+66 094-179-8888
Email
info@tunableproject.com
Website
web.tunableproject.com
Supports 20+ log source formats out of the box
Plus scheduled API pull from cloud & SaaS services