rsigma-runtime 0.7.0

Streaming runtime for rsigma — event sources, sinks, and log processing pipeline
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

# rsigma-runtime

Streaming runtime for [rsigma](https://github.com/timescale/rsigma) — input
format adapters, batch log processing, hot-reload, and pluggable metrics.

## Features

- **Input adapters**: JSON/NDJSON, syslog (RFC 3164/5424), logfmt, CEF, plain
  text, and auto-detect. Each adapter parses raw log lines into typed events
  implementing the `rsigma_eval::Event` trait.
- **`LogProcessor`**: batch evaluation pipeline with atomic engine swap via
  `ArcSwap`, `MetricsHook` for pluggable metrics, and `EventFilter` for JSON
  payload extraction.
- **`RuntimeEngine`**: wraps `Engine` and `CorrelationEngine` with rule loading,
  reload, and correlation state management.
- **I/O**: `EventSource` trait (stdin, HTTP, NATS) and `Sink` enum (stdout,
  file, NATS) with fan-out support.

## Usage

```rust
use std::sync::Arc;
use rsigma_eval::CorrelationConfig;
use rsigma_runtime::{InputFormat, LogProcessor, NoopMetrics, RuntimeEngine};

let mut engine = RuntimeEngine::new(
    "rules/".into(),
    vec![],
    CorrelationConfig::default(),
    false,
);
engine.load_rules().unwrap();

let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));

let batch = vec![r#"{"CommandLine": "cmd /c whoami"}"#.to_string()];
let results = processor.process_batch_with_format(
    &batch,
    &InputFormat::Json,
    None,
);
```

See the [examples](examples/) directory for complete working programs.

## Feature flags

| Flag | Description |
|------|-------------|
| `logfmt` | Enable logfmt input adapter |
| `cef` | Enable CEF (ArcSight) input adapter |
| `nats` | Enable NATS JetStream source and sink |

## License

MIT