Skip to main content

RuntimeEngine

rsigma_runtime::engine

Struct RuntimeEngine 

Source 
pub struct RuntimeEngine { /* private fields */ }
Expand description

Wraps a CorrelationEngine (or a plain Engine) and provides the interface the runtime needs: process events, reload rules, and query state.

Implementations§

Source§

impl RuntimeEngine

Source

pub fn new( rules_path: PathBuf, pipelines: Vec<Pipeline>, corr_config: CorrelationConfig, include_event: bool, ) -> Self

Source

pub fn load_rules(&mut self) -> Result<EngineStats, String>

Load (or reload) rules from the configured path.

On reload, correlation state is exported before replacing the engine and re-imported after, so in-flight windows and suppression state survive rule changes (entries for removed correlations are dropped).

Source

pub fn process_batch<E: Event + Sync>( &mut self, events: &[&E], ) -> Vec<ProcessResult>

Process a batch of events using parallel detection + sequential correlation.

Delegates to Engine::evaluate_batch or CorrelationEngine::process_batch depending on whether correlation rules are loaded.

Source

pub fn stats(&self) -> EngineStats

Return summary statistics about the current engine state.

Source

pub fn rules_path(&self) -> &Path

Return the path from which rules are loaded.

Source

pub fn pipelines(&self) -> &[Pipeline]

Return the configured processing pipelines.

Source

pub fn corr_config(&self) -> &CorrelationConfig

Return the correlation configuration.

Source

pub fn include_event(&self) -> bool

Whether detection results include the matched event.

Source

pub fn export_state(&self) -> Option<CorrelationSnapshot>

Export correlation state as a serializable snapshot. Returns None if the engine is detection-only (no correlation state to persist).

Source

pub fn import_state(&mut self, snapshot: &CorrelationSnapshot) -> bool

Import previously exported correlation state. Returns true if the import succeeded, false if the snapshot version is incompatible. No-op (returns true) if the engine is detection-only.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> Pointable for T

Source§

const ALIGN: usize

The alignment of pointer.
Source§

type Init = T

The type for initializers.
Source§

unsafe fn init(init: <T as Pointable>::Init) -> usize

Initializes a with the given initializer. Read more
Source§

unsafe fn deref<'a>(ptr: usize) -> &'a T

Dereferences the given pointer. Read more
Source§

unsafe fn deref_mut<'a>(ptr: usize) -> &'a mut T

Mutably dereferences the given pointer. Read more
Source§

unsafe fn drop(ptr: usize)

Drops the object pointed to by the given pointer. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more