Built for compliance with Thailand's Computer Crime Act §26

Centralize every log
from every device — intelligently

SRAN Metalog is a single Log Management Platform that ingests, stores, searches, and analyzes logs from every source in your environment — Windows Event Log, Syslog, network appliances, applications, and more — on one fast, secure, and cost-efficient architecture.

sran.metalog · /overview · live
SRAN Metalog — Overview dashboard
Supports 20+ log source formats out of the box
Windows Event Log Syslog (RFC 5424) Linux rsyslog Cisco Fortinet Suricata Zeek Honeypot Kubernetes SNMP Trap (v1/v2c/v3)
Plus scheduled API pull from cloud & SaaS services
AWS CloudTrail Microsoft 365 / Entra ID Google Workspace Okta GitHub Audit Cloudflare GCP Audit Logs
/ Features

Built for everything Operations, Security, and Compliance teams need

Shaped by real-world experience running infrastructure in regulated industries — easy to install, easy to operate, scales with your organization.

Multi-Source Ingestion
Receive Syslog, Windows Event Log, JSON, and file-based logs from network appliances, servers, and applications concurrently on a single listener.
SNMP Trap Receiver
Native SNMPv1 / v2c / v3 trap listener on UDP/162 ingests unsolicited alerts from switches, routers, firewalls, UPS, printers, and environmental sensors. Bundled MIB resolution translates numeric OIDs into human-readable events (linkUp, linkDown, coldStart, authFail) before they hit the index — so you can search "interface=Gi0/24" instead of decoding ".1.3.6.1.2.1.*" by hand.
Zstd Compression — 90% smaller
Streaming Zstandard compression cuts storage by 90% on average, with per-file SHA-256 hashes for tamper-evident integrity.
Millisecond Search
DuckDB-backed indexing returns results across millions of historical records in under a second, with shareable saved queries for your team.
Real-time Alerting
Build alert rules from MITRE ATT&CK techniques, thresholds, or patterns. Deliver to Email, Webhook, LINE Notify, or downstream Syslog.
Forwarding & Cluster
Forward logs downstream to existing SIEMs with built-in buffering that survives network outages, and run multi-node clusters for high availability.
Enterprise Authentication
Local accounts with TOTP 2FA, LDAP / Active Directory, and OAuth 2.0 (Google, Microsoft, GitHub) — backed by a full per-user audit trail.
/ AI Assist

Turn raw log noise into human-readable insight

Built-in AI Log Analysis reads millions of raw events and produces a plain-language brief — what happened, what matters, and what to do next — so on-call engineers and auditors don't have to grep through gigabytes of unstructured text by hand.

sran.metalog · /analyze · ai-summary · live
AI Log Analysis window 2026-05-17 02:00 → 14:32 · 1,842,917 events scanned
Event Summary 3 findings
  • SSH brute force from 198.51.100.42 47 failed logins targeting root and admin across 4 bastion hosts between 02:14–02:38 UTC. No successful authentication.
  • Outbound DNS to C2 candidate Firewall logged 127 queries from app-12 to *.evilcdn.io within a 9-minute window — matches a recent IOC feed entry.
  • Database CPU saturation Postgres on db-prod-2 sustained >92% CPU for 11 minutes; correlates with a malformed report query from analytics-api.
Security Issues 2 critical
  • MITRE T1110 · Brute Force Critical — credential-stuffing pattern detected. Same source IP previously hit dev-1 last Friday; recommend immediate blocklist.
  • MITRE T1071 · Application Layer Protocol Critical — beaconing-like DNS resolution from app-12. Review parent process tree on host before further triage.
  • Stale TLS certificate Warning — vpn.corp.local certificate expires in 6 days; renewal not yet scheduled.
Recommendations 3 actions
  • Block 198.51.100.42 at edge firewall Apply 24-hour blocklist and propagate to all bastion ACLs. Notify SOC #alerts channel.
  • Enforce SSH key-only on bastions Disable password auth fleet-wide and rotate any service account that authenticated since 2026-05-10.
  • Quarantine app-12 Move host to the isolation VLAN, capture a memory image, and review parent processes before re-attaching.
Runs on-prem against your own log index — no raw data leaves the appliance. model: pluggable LLM · local or BYO API key
/ Administration

Tune the platform from a built-in Settings panel

Operators don't need a separate management console — site-wide configuration, forwarder buffering, cluster topology, and time synchronization all live inside Metalog itself, exposed through a single Settings tree.

sran.metalog · /settings
General ค่า site-wide เช่น ชื่อระบบ, timezone, locale, default retention, log volume thresholds และ alert defaults — ปรับครั้งเดียวมีผลทั้ง cluster โดยไม่ต้องแก้ไฟล์ config ทีละเครื่อง
Forwarder Buffer กำหนด queue size, retry policy และ batch interval สำหรับการส่ง log ออกไป downstream SIEM — เมื่อปลายทาง offline ชั่วคราว buffer จะเก็บ event ไว้ใน memory + disk แล้ว flush ต่อเมื่อกลับมาออนไลน์ ไม่ทำให้ pipeline หล่นข้อมูล
HA Cluster กำหนด topology ของ cluster — เพิ่ม/ลด node, จัด role primary & replica, sync state ข้าม node เพื่อ high availability ระบบยังรับ log ต่อได้แม้มี node ใด node หนึ่ง offline เพื่อ maintenance
Time Server ตั้ง NTP upstream ของระบบ พร้อม status การ sync — สำคัญสำหรับ Computer Crime Act §26 ที่กำหนดให้ timestamp ของ log ต้องเทียบกับเวลามาตรฐานประเทศได้
/ Benefits

Lower cost, stronger security, painless compliance

01
90%
smaller log footprint

Cut your storage spend

With Zstd compression, 1 TB of raw logs compresses to ~100 GB. Keep 90 days of history on a single disk — no extra NAS investment required.

02
§26
Computer Crime Act

Aligned with Thai regulation

Retain logs for 90+ days per statute, with tamper-evident hashing and a downloadable audit trail your inspectors can verify in seconds.

03
< 1s
to search 1M records

Respond to incidents faster

SOC analysts pivot through historical logs in seconds during an active incident — shorter MTTR, smaller blast radius, fewer escalations.

04
100%
end-to-end visibility

See every signal in one place

Endpoint, network, application, and honeypot logs converge in a single index — giving you the complete attack story rather than scattered fragments.

/ How it works

From ingestion to dashboard in 4 streaming stages

Everything runs as continuous streams — no batch waits. Logs arriving now show up on the dashboard within seconds.

01
Ingest
Listeners accept UDP / TCP / TLS Syslog, Windows Event Log forwarders, SNMP traps on UDP/162, and files via rsyslog imfile.
02
Compress & Hash
Streams are Zstd-compressed in memory, written to disk as .metalog files, and registered with a SHA-256 hash.
03
Index
A background indexer scans new files every 30 seconds, splits records into DuckDB, and auto-extracts key fields.
04
Display & Alert
Dashboards update live; the alert engine evaluates rules every 60 seconds and the forwarder ships events to downstream destinations.
/ Product Tour

A look inside — actual screens from the running platform

These are not mockups. Every screen below is captured straight from the product UI — same dashboards your operators will use after install.

sran.metalog · /hosts
Log Sources — Hosts
sran.metalog · /query
Search — flexible log query
sran.metalog · /raw
Archive — raw .metalog files by date
sran.metalog · /reports
Reports — EPS, storage, top hosts
sran.metalog · /monitor
System Monitor — CPU, RAM, disk, services

Ready to rethink the way your organization handles logs?

Try SRAN Metalog free for 30 days — no credit card required. Our team will help with installation and basic operator training.

/ Contact

Talk to us — from sizing to production rollout

Address

SRAN CyberTech
48/6 ซอยแจ้งวัฒนะ 14 แขวงทุ่งสองห้อง
เขตหลักสี่ กรุงเทพมหานคร 10210

Distribution Partner

บริษัท ทูนาเบิล โปรเจค จำกัด