Skip to main content

Crate rsigma_runtime

Crate rsigma_runtime 

Source
Expand description

§rsigma-runtime

Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.

This crate extracts the streaming pipeline from the rsigma CLI daemon into a reusable library. It provides:

  • I/O adapters: io::EventSource trait for inputs (stdin, NATS) and io::Sink enum for outputs (stdout, file, NATS).
  • Engine wrapper: RuntimeEngine wraps rsigma-eval’s Engine and CorrelationEngine with rule loading and state management.
  • Log processor: LogProcessor combines engine + metrics + event filtering into a batch processing pipeline with atomic hot-reload via ArcSwap.
  • Metrics abstraction: MetricsHook trait lets consumers plug in Prometheus, OpenTelemetry, or any other metrics backend without the runtime depending on a specific implementation.

§Example

use std::sync::Arc;
use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
use rsigma_eval::CorrelationConfig;

let mut engine = RuntimeEngine::new(
    "rules/".into(),
    vec![],
    CorrelationConfig::default(),
    false,
);
engine.load_rules().unwrap();

let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));

let batch = vec![r#"{"EventID": 1}"#.to_string()];
let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
for result in &results {
    for det in &result.detections {
        println!("Detection: {}", det.rule_title);
    }
}

Re-exports§

pub use engine::EngineStats;
pub use engine::RuntimeEngine;
pub use error::RuntimeError;
pub use input::EventInputDecoded;
pub use input::InputFormat;
pub use input::parse_line;
pub use io::AckToken;
pub use io::EventSource;
pub use io::FileSink;
pub use io::RawEvent;
pub use io::Sink;
pub use io::StdinSource;
pub use io::StdoutSink;
pub use io::spawn_source;
pub use metrics::MetricsHook;
pub use metrics::NoopMetrics;
pub use processor::EventFilter;
pub use processor::LogProcessor;
pub use sources::refresh::RefreshResult;
pub use sources::refresh::RefreshScheduler;
pub use sources::refresh::RefreshTrigger;
pub use sources::DefaultSourceResolver;
pub use sources::ResolvedValue;
pub use sources::SourceCache;
pub use sources::SourceError;
pub use sources::SourceErrorKind;
pub use sources::SourceResolver;
pub use sources::TemplateExpander;

Modules§

engine
error
input
Input format adapters for the rsigma runtime.
io
metrics
parse
Log format parsers for the rsigma runtime.
processor
sources
Dynamic source resolution for Sigma pipelines.

Structs§

ProcessResult
Combined result from processing a single event.