Expand description
§rsigma-runtime
Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.
This crate extracts the streaming pipeline from the rsigma CLI daemon into
a reusable library. It provides:
- I/O adapters:
io::EventSourcetrait for inputs (stdin, NATS) andio::Sinkenum for outputs (stdout, file, NATS). - Engine wrapper:
RuntimeEnginewrapsrsigma-eval’sEngineandCorrelationEnginewith rule loading and state management. - Log processor:
LogProcessorcombines engine + metrics + event filtering into a batch processing pipeline with atomic hot-reload viaArcSwap. - Metrics abstraction:
MetricsHooktrait lets consumers plug in Prometheus, OpenTelemetry, or any other metrics backend without the runtime depending on a specific implementation.
§Example
use std::sync::Arc;
use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
use rsigma_eval::CorrelationConfig;
let mut engine = RuntimeEngine::new(
"rules/".into(),
vec![],
CorrelationConfig::default(),
false,
);
engine.load_rules().unwrap();
let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));
let batch = vec![r#"{"EventID": 1}"#.to_string()];
let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
for result in &results {
for r in result.iter().filter(|r| r.is_detection()) {
println!("Detection: {}", r.header.rule_title);
}
}Re-exports§
pub use alert_pipeline::AlertPipeline;pub use alert_pipeline::AlertPipelineConfigError;pub use alert_pipeline::AlertPipelineFile;pub use alert_pipeline::AlertPipelineSnapshot;pub use alert_pipeline::AlertPipelineState;pub use alert_pipeline::DEFAULT_MAX_DYNAMIC_SILENCES;pub use alert_pipeline::DedupStore;pub use alert_pipeline::GroupMode;pub use alert_pipeline::IncidentRef;pub use alert_pipeline::IncidentResult;pub use alert_pipeline::IncidentStore;pub use alert_pipeline::IncludeMode;pub use alert_pipeline::MatchOp;pub use alert_pipeline::Matcher;pub use alert_pipeline::MatcherError;pub use alert_pipeline::MatcherSet;pub use alert_pipeline::MatcherSpec;pub use alert_pipeline::SNAPSHOT_VERSION;pub use alert_pipeline::Silence;pub use alert_pipeline::SilenceError;pub use alert_pipeline::SilenceOrigin;pub use alert_pipeline::SilenceSpec;pub use alert_pipeline::SilenceState;pub use alert_pipeline::SilenceStore;pub use alert_pipeline::SilenceView;pub use alert_pipeline::TickOutput;pub use alert_pipeline::build_alert_pipeline;pub use alert_pipeline::load_alert_pipeline_file;pub use alert_pipeline::parse_alert_pipeline_config;pub use dispositions::Disposition;pub use dispositions::DispositionConfig;pub use dispositions::DispositionError;pub use dispositions::DispositionScope;pub use dispositions::DispositionSnapshot;pub use dispositions::DispositionStore;pub use dispositions::IngestOutcome;pub use dispositions::Numerator;pub use dispositions::RawDisposition;pub use dispositions::RuleSummary;pub use dispositions::Verdict;pub use dispositions::parse_dispositions;pub use dispositions::triage_feed;pub use egress::EgressDenial;pub use egress::EgressFilteredResolver;pub use egress::EgressPolicy;pub use egress::default_egress_policy;pub use egress::set_default_egress_policy;pub use engine::EngineStats;pub use engine::RoutingSpec;pub use engine::RuntimeEngine;pub use enrichment::config::EnricherConfig;pub use enrichment::config::EnrichersConfigError;pub use enrichment::config::EnrichersFile;pub use enrichment::config::build_enrichers;pub use enrichment::config::build_enrichers_full;pub use enrichment::config::load_enrichers_file;pub use enrichment::CacheKey;pub use enrichment::CacheOutcome;pub use enrichment::CommandEnricher;pub use enrichment::EnrichError;pub use enrichment::EnrichErrorKind;pub use enrichment::Enricher;pub use enrichment::EnricherFactory;pub use enrichment::EnricherKind;pub use enrichment::EnrichmentPipeline;pub use enrichment::HttpEnricher;pub use enrichment::HttpEnricherClient;pub use enrichment::HttpResponseCache;pub use enrichment::LookupEnricher;pub use enrichment::OnError;pub use enrichment::OutputFormat;pub use enrichment::Scope;pub use enrichment::TemplateEnricher;pub use enrichment::TemplateError;pub use enrichment::build_default_http_client;pub use enrichment::lookup_builtin;pub use enrichment::register_builtin;pub use enrichment::validate_template_namespace;pub use error::RuntimeError;pub use input::EventInputDecoded;pub use input::InputFormat;pub use input::parse_line;pub use io::webhook::BuiltWebhook;pub use io::webhook::WebhookConfig;pub use io::webhook::WebhookConfigError;pub use io::webhook::WebhookKind;pub use io::webhook::WebhookSink;pub use io::webhook::WebhooksFile;pub use io::webhook::build_webhooks;pub use io::webhook::load_webhooks_file;pub use io::AckToken;pub use io::DeliveryConfig;pub use io::DeliveryContext;pub use io::DeliveryFailure;pub use io::DeliverySink;pub use io::Dispatcher;pub use io::EventSource;pub use io::FileSink;pub use io::IncidentEnvelope;pub use io::OnFull;pub use io::RawEvent;pub use io::Sink;pub use io::StdinSource;pub use io::StdoutSink;pub use io::spawn_source;pub use metrics::MetricsHook;pub use metrics::NoopMetrics;pub use pipeline_deprecation::warn_pipeline_inline_sources;pub use processor::EventFilter;pub use processor::LogProcessor;pub use risk::IncidentConfig as RiskIncidentConfig;pub use risk::RiskCaps;pub use risk::RiskConfigError;pub use risk::RiskEntityView;pub use risk::RiskFile;pub use risk::RiskIncidentResult;pub use risk::RiskLayer;pub use risk::RiskObject;pub use risk::RiskOutput;pub use risk::RiskRef;pub use risk::RiskState;pub use risk::RiskStateSnapshot;pub use risk::SNAPSHOT_VERSION as RISK_SNAPSHOT_VERSION;pub use risk::build_risk_layer;pub use risk::load_risk_file;pub use risk::parse_risk_config;pub use selector::Selector;pub use selector::SelectorParseError;pub use tap::TapPayload;pub use tap::TapRegistry;pub use tap::TapSessionHandle;pub use tap::TapStage;pub use sources::refresh::RefreshResult;pub use sources::refresh::RefreshScheduler;pub use sources::refresh::RefreshTrigger;pub use sources::refresh::SourceSubscription;pub use sources::DefaultSourceResolver;pub use sources::ResolvedValue;pub use sources::SourceCache;pub use sources::SourceError;pub use sources::SourceErrorKind;pub use sources::SourceResolver;pub use sources::TemplateExpander;
Modules§
- alert_
pipeline - Post-engine alert-processing layer.
- dispositions
- Triage feedback loop: analyst dispositions and the per-rule false-positive ratio.
- egress
- Egress policy enforcement for outbound HTTP traffic.
- engine
- enrichment
- Post-evaluation enrichment for the rsigma daemon.
- error
- input
- Input format adapters for the rsigma runtime.
- io
- metrics
- parse
- Log format parsers for the rsigma runtime.
- pipeline_
deprecation - Deprecation warnings for pipeline-embedded configuration that is being removed in a future release.
- processor
- risk
- Post-engine risk-based alerting layer.
- scope
- Scope filtering for post-evaluation stages.
- selector
- Field-selector namespace shared by the post-engine sink layers.
- sources
- Dynamic source resolution for Sigma pipelines.
- tap
- Live event-tap capture for the daemon.
Structs§
- Field
Coverage - Borrowed view over a
FieldObservationjoined against aRuleFieldSet. Produced byFieldObservation::coverage. - Field
Observation - Immutable snapshot of an observer’s state at one moment in time.
- Field
Observation Entry - Single field-name counter as exposed via the snapshot API.
- Field
Observer - Capped, opt-in field-name counter shared across producers (the daemon’s event task, the eval streaming loop) and consumers (the daemon’s HTTP handlers, the eval report writer).
- Schema
Classifier - Recognizes the schema of parsed events from a set of signatures.
- Schema
Count Entry - One per-schema counter as exposed via
SchemaObserver::snapshot. - Schema
Observation - Immutable snapshot of a
SchemaObserverat one moment. - Schema
Observer - Opt-in counter that classifies each observed event and tallies per-schema
(and unknown) totals. Mirrors the design of
FieldObserver: shared behind anArc, cheap repeated snapshots, monotonic lifetime counters for a Prometheus bridge. The schema set is small and bounded, so there is no key cap.
Enums§
- Schema
Error - Errors raised while loading user schema signatures.
Traits§
- Process
Result Ext - Convenience iterators over a slice of
EvaluationResult.
Functions§
- load_
schema_ signatures - Load user schema signatures from a YAML file path.
Type Aliases§
- Process
Result - All
EvaluationResults produced for a single input event.