Introducing Tailpipe: select * from logs; →
DocsHubBlogChangelogSlack CommunityGitHub
select * from logs;
Open source SIEM for instant log insights, powered by DuckDB. Analyze millions of events in seconds, right from your terminal.
Fall in love with blazing fast log analysis, and stay for our incredible community!
  • Hey Team ... Special thanks to @Ved for helping with multiple connection setup. Kudos to the team for amazing work. 👏 🎉
    Profile pic
    Sandeep Kumar Patro
    Slack Community Member
  • Developers, maintainers, and even the CEO are all more than willing to dive into any issue or problem.
    Profile pic
    Graza Andersson
    Open Source Contributor
  • Hi Team. just want to tell you guys that you are doing good work. I really like the dashboard and the compliance package.
    Profile pic
    Rasyid Dahbul
    Slack Community Member
  • 👏 This is beyond amazing!
    Profile pic
    Ryan
    Slack Community Member
  • Hi, sorry for the late response but I finally figured out the what the issues was... thank you very much for your awesome support as usual
    Profile pic
    Dominik Bermühler
    Slack Community Member
  • Everyone is so friendly and helpful, I love being part of this community.
    Profile pic
    Ellis Valentiner
    Lead Data Scientist - Virtual Facility
  • We are actively involved (and happy to publish and share plugins) due to the excellent support and engagement from the community.
    Profile pic
    APS Group
    Open Source Contributors
pipe-connector

Features

Hunt threats with open-source SIEM tooling

Tailpipe CLI

Cloud logs, SQL insights

Tailpipe collects logs from cloud, container and application sources. Query and analyze your data instantly with the power of SQL, right from your terminal.
CLI Command: `tailpipe collect aws-cloudtrail-log`

Fast, local, and efficient

Tailpipe runs locally, powered by DuckDB's in-memory analytics and Parquet's optimized storage. Delivering high performance at low cost, it scales to handle massive datasets without expensive infrastructure.
MITRE ATT&CK Dashboard

An ecosystem of prebuilt intelligence

Get started fast with Powerpipe mods: MITRE ATT&CK-aligned queries, prebuilt detections, benchmarks, and dashboards. Open source and community-driven, Tailpipe comes ready with hundreds of examples to supercharge your analysis.
SIEM Dashboards as Code

Built to build with

Define detections as code, extend functionality with plugins and write custom SQL queries. Tailpipe is open source and designed for developers to adapt, extend and make it their own.
 
 

Use Cases

Insights across Security, Performance, and Cost

Are there repeated failed login attempts?

Threat Hunting
select 
  event_name,
  user_identity,
  source_ip_address,
  count(*) as attempts
from aws_cloudtrail_log
where event_name like '%Login%'
  and error_code = 'Failed'
group by event_name, user_identity, source_ip_address
having count(*) > 5;

What resources were touched in the last hour?

Change Audit
select
  event_timestamp,
  resource_type,
  operation_name
from
  azure_activity_log
where 
  event_timestamp > CURRENT_DATE - INTERVAL '1 hour';

What recent IAM changes have been made?

Security Audit
select
  event_time,
  event_name,
  user_identity,
  resources
from aws_cloudtrail_log
where event_name like '%IAM%'
  and event_name like '%Update%'
order by event_time desc
limit 20;

Where are critical events originating from?

Geolocation Queries
select
  tp_source_ip,
  service_name,
  resource,
  operation,
  metadata
from 
  gcp_audit_log
where 
  severity in ['Warning', 'Critical', 'Alert', 'Emergency'];
pipe-connector

How It Works

Get started analyzing logs in <60sec.

Get started fast
Install Tailpipe & your favorite cloud service plugins locally.
$ brew install turbot/tap/tailpipe
$ tailpipe plugin install aws
...
Installed plugin: aws@latest
Collect your logs
Tailpipe can collect logs directly to your local device from source APIs, object storage or network locations.
$ tailpipe collect aws_cloudtrail_log


Artifacts:
  Discovered: 20 
  Downloaded: 20 252MB


Rows:
  Received: 1,939,207 
  Saved:    1,859,713 


Completed: 15s
Explore your log data
Understand the size and shape of your logs to get a feel where to start.
$ tailpipe query


> select count(*) from aws_cloudtrail_log;


+---------------+
| count_star(*) |
+---------------+
| 12,558,449    |
+---------------+


> .inspect aws_cloudtrail_log


...
Dig deeper with SQL
SQL eliminates friction between you and your data. Query, sort, group and filter using familiar SQL syntax.
select
  error_code, count(*) as event_count
from
  aws_cloudtrail_log
where
  error_code is not null
group by
  error_code
order by
  event_count desc;
Detections as code with Powerpipe
Go even deeper with Powerpipe. Run (and learn from) existing industry benchmarks & MITRE ATT&CK detections then start building your own as code.
Powerpipe logo
Collaborate
Organize your analysis into code repos to share what you are building with your teams and our growing community.

Demos

See Tailpipe in Action

Tailpipe logoGitHub Tailpipe

select * from logs;

Open source SIEM for instant log insights, powered by DuckDB. Analyze millions of events in seconds, right from your terminal.
Learn more →
Powerpipe logoGitHub Powerpipe

Dashboards for DevOps.

Visualize cloud configurations. Assess security posture against a massive library of benchmarks. Build custom dashboards with code.
Learn more →
Steampipe logoGitHub Steampipe

select * from cloud;

Drill deep into the table schemas and discover helpful example queries for 140 plugins.
Learn more →
Flowpipe logoGitHub Flowpipe

Workflow for DevOps.

Automate cloud operations. Coordinate people and pipelines. Build workflows as code.
Learn more →