Skip to main content

rsigma_runtime/
lib.rs

1//! # rsigma-runtime
2//!
3//! Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.
4//!
5//! This crate extracts the streaming pipeline from the `rsigma` CLI daemon into
6//! a reusable library. It provides:
7//!
8//! - **I/O adapters**: [`io::EventSource`] trait for inputs (stdin, NATS) and
9//!   [`io::Sink`] enum for outputs (stdout, file, NATS).
10//! - **Engine wrapper**: [`RuntimeEngine`] wraps `rsigma-eval`'s `Engine` and
11//!   `CorrelationEngine` with rule loading and state management.
12//! - **Log processor**: [`LogProcessor`] combines engine + metrics + event
13//!   filtering into a batch processing pipeline with atomic hot-reload via
14//!   `ArcSwap`.
15//! - **Metrics abstraction**: [`MetricsHook`] trait lets consumers plug in
16//!   Prometheus, OpenTelemetry, or any other metrics backend without the
17//!   runtime depending on a specific implementation.
18//!
19//! # Example
20//!
21//! ```rust,no_run
22//! use std::sync::Arc;
23//! use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
24//! use rsigma_eval::CorrelationConfig;
25//!
26//! let mut engine = RuntimeEngine::new(
27//!     "rules/".into(),
28//!     vec![],
29//!     CorrelationConfig::default(),
30//!     false,
31//! );
32//! engine.load_rules().unwrap();
33//!
34//! let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));
35//!
36//! let batch = vec![r#"{"EventID": 1}"#.to_string()];
37//! let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
38//! for result in &results {
39//!     for det in &result.detections {
40//!         println!("Detection: {}", det.rule_title);
41//!     }
42//! }
43//! ```
44
45pub mod engine;
46pub mod error;
47pub mod input;
48pub mod io;
49pub mod metrics;
50pub mod parse;
51pub mod processor;
52pub mod sources;
53
54pub use engine::{EngineStats, RuntimeEngine};
55pub use error::RuntimeError;
56pub use input::{EventInputDecoded, InputFormat, parse_line};
57pub use io::{
58    AckToken, EventSource, FileSink, RawEvent, Sink, StdinSource, StdoutSink, spawn_source,
59};
60pub use metrics::{MetricsHook, NoopMetrics};
61pub use processor::{EventFilter, LogProcessor};
62
63pub use rsigma_eval::ProcessResult;
64pub use sources::refresh::{RefreshResult, RefreshScheduler, RefreshTrigger};
65pub use sources::{
66    DefaultSourceResolver, ResolvedValue, SourceCache, SourceError, SourceErrorKind,
67    SourceResolver, TemplateExpander,
68};
69
70#[cfg(feature = "nats")]
71pub use io::{NatsConnectConfig, NatsSink, NatsSource, ReplayPolicy};
72
73#[cfg(feature = "evtx")]
74pub use input::evtx::{EvtxError, EvtxFileReader};
75
76#[cfg(feature = "otlp")]
77pub use io::otlp::{
78    ExportLogsServiceRequest, ExportLogsServiceResponse, LogsService, LogsServiceServer,
79    logs_request_to_raw_events,
80};