Skip to main content

Crate rsigma_runtime

Crate rsigma_runtime 

Source
Expand description

§rsigma-runtime

Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.

This crate extracts the streaming pipeline from the rsigma CLI daemon into a reusable library. It provides:

  • I/O adapters: io::EventSource trait for inputs (stdin, NATS) and io::Sink enum for outputs (stdout, file, NATS).
  • Engine wrapper: RuntimeEngine wraps rsigma-eval’s Engine and CorrelationEngine with rule loading and state management.
  • Log processor: LogProcessor combines engine + metrics + event filtering into a batch processing pipeline with atomic hot-reload via ArcSwap.
  • Metrics abstraction: MetricsHook trait lets consumers plug in Prometheus, OpenTelemetry, or any other metrics backend without the runtime depending on a specific implementation.

§Example

use std::sync::Arc;
use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
use rsigma_eval::CorrelationConfig;

let mut engine = RuntimeEngine::new(
    "rules/".into(),
    vec![],
    CorrelationConfig::default(),
    false,
);
engine.load_rules().unwrap();

let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));

let batch = vec![r#"{"EventID": 1}"#.to_string()];
let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
for result in &results {
    for r in result.iter().filter(|r| r.is_detection()) {
        println!("Detection: {}", r.header.rule_title);
    }
}

Re-exports§

pub use alert_pipeline::AlertPipeline;
pub use alert_pipeline::AlertPipelineConfigError;
pub use alert_pipeline::AlertPipelineFile;
pub use alert_pipeline::AlertPipelineSnapshot;
pub use alert_pipeline::AlertPipelineState;
pub use alert_pipeline::DEFAULT_MAX_DYNAMIC_SILENCES;
pub use alert_pipeline::DedupStore;
pub use alert_pipeline::GroupMode;
pub use alert_pipeline::IncidentRef;
pub use alert_pipeline::IncidentResult;
pub use alert_pipeline::IncidentStore;
pub use alert_pipeline::IncludeMode;
pub use alert_pipeline::MatchOp;
pub use alert_pipeline::Matcher;
pub use alert_pipeline::MatcherError;
pub use alert_pipeline::MatcherSet;
pub use alert_pipeline::MatcherSpec;
pub use alert_pipeline::SNAPSHOT_VERSION;
pub use alert_pipeline::Silence;
pub use alert_pipeline::SilenceError;
pub use alert_pipeline::SilenceOrigin;
pub use alert_pipeline::SilenceSpec;
pub use alert_pipeline::SilenceState;
pub use alert_pipeline::SilenceStore;
pub use alert_pipeline::SilenceView;
pub use alert_pipeline::TickOutput;
pub use alert_pipeline::build_alert_pipeline;
pub use alert_pipeline::load_alert_pipeline_file;
pub use alert_pipeline::parse_alert_pipeline_config;
pub use dispositions::Disposition;
pub use dispositions::DispositionConfig;
pub use dispositions::DispositionError;
pub use dispositions::DispositionScope;
pub use dispositions::DispositionSnapshot;
pub use dispositions::DispositionStore;
pub use dispositions::IngestOutcome;
pub use dispositions::Numerator;
pub use dispositions::RawDisposition;
pub use dispositions::RuleSummary;
pub use dispositions::Verdict;
pub use dispositions::parse_dispositions;
pub use dispositions::triage_feed;
pub use egress::EgressDenial;
pub use egress::EgressFilteredResolver;
pub use egress::EgressPolicy;
pub use egress::default_egress_policy;
pub use egress::set_default_egress_policy;
pub use engine::EngineStats;
pub use engine::RoutingSpec;
pub use engine::RuntimeEngine;
pub use enrichment::config::EnricherConfig;
pub use enrichment::config::EnrichersConfigError;
pub use enrichment::config::EnrichersFile;
pub use enrichment::config::build_enrichers;
pub use enrichment::config::build_enrichers_full;
pub use enrichment::config::load_enrichers_file;
pub use enrichment::CacheKey;
pub use enrichment::CacheOutcome;
pub use enrichment::CommandEnricher;
pub use enrichment::EnrichError;
pub use enrichment::EnrichErrorKind;
pub use enrichment::Enricher;
pub use enrichment::EnricherFactory;
pub use enrichment::EnricherKind;
pub use enrichment::EnrichmentPipeline;
pub use enrichment::HttpEnricher;
pub use enrichment::HttpEnricherClient;
pub use enrichment::HttpResponseCache;
pub use enrichment::LookupEnricher;
pub use enrichment::OnError;
pub use enrichment::OutputFormat;
pub use enrichment::Scope;
pub use enrichment::TemplateEnricher;
pub use enrichment::TemplateError;
pub use enrichment::build_default_http_client;
pub use enrichment::lookup_builtin;
pub use enrichment::register_builtin;
pub use enrichment::validate_template_namespace;
pub use error::RuntimeError;
pub use input::EventInputDecoded;
pub use input::InputFormat;
pub use input::parse_line;
pub use io::webhook::BuiltWebhook;
pub use io::webhook::WebhookConfig;
pub use io::webhook::WebhookConfigError;
pub use io::webhook::WebhookKind;
pub use io::webhook::WebhookSink;
pub use io::webhook::WebhooksFile;
pub use io::webhook::build_webhooks;
pub use io::webhook::load_webhooks_file;
pub use io::AckToken;
pub use io::DeliveryConfig;
pub use io::DeliveryContext;
pub use io::DeliveryFailure;
pub use io::DeliverySink;
pub use io::Dispatcher;
pub use io::EventSource;
pub use io::FileSink;
pub use io::IncidentEnvelope;
pub use io::OnFull;
pub use io::RawEvent;
pub use io::Sink;
pub use io::StdinSource;
pub use io::StdoutSink;
pub use io::spawn_source;
pub use metrics::MetricsHook;
pub use metrics::NoopMetrics;
pub use pipeline_deprecation::warn_pipeline_inline_sources;
pub use processor::EventFilter;
pub use processor::LogProcessor;
pub use risk::IncidentConfig as RiskIncidentConfig;
pub use risk::RiskCaps;
pub use risk::RiskConfigError;
pub use risk::RiskEntityView;
pub use risk::RiskFile;
pub use risk::RiskIncidentResult;
pub use risk::RiskLayer;
pub use risk::RiskObject;
pub use risk::RiskOutput;
pub use risk::RiskRef;
pub use risk::RiskState;
pub use risk::RiskStateSnapshot;
pub use risk::SNAPSHOT_VERSION as RISK_SNAPSHOT_VERSION;
pub use risk::build_risk_layer;
pub use risk::load_risk_file;
pub use risk::parse_risk_config;
pub use selector::Selector;
pub use selector::SelectorParseError;
pub use tap::TapPayload;
pub use tap::TapRegistry;
pub use tap::TapSessionHandle;
pub use tap::TapStage;
pub use sources::refresh::RefreshResult;
pub use sources::refresh::RefreshScheduler;
pub use sources::refresh::RefreshTrigger;
pub use sources::refresh::SourceSubscription;
pub use sources::DefaultSourceResolver;
pub use sources::ResolvedValue;
pub use sources::SourceCache;
pub use sources::SourceError;
pub use sources::SourceErrorKind;
pub use sources::SourceResolver;
pub use sources::TemplateExpander;

Modules§

alert_pipeline
Post-engine alert-processing layer.
dispositions
Triage feedback loop: analyst dispositions and the per-rule false-positive ratio.
egress
Egress policy enforcement for outbound HTTP traffic.
engine
enrichment
Post-evaluation enrichment for the rsigma daemon.
error
input
Input format adapters for the rsigma runtime.
io
metrics
parse
Log format parsers for the rsigma runtime.
pipeline_deprecation
Deprecation warnings for pipeline-embedded configuration that is being removed in a future release.
processor
risk
Post-engine risk-based alerting layer.
scope
Scope filtering for post-evaluation stages.
selector
Field-selector namespace shared by the post-engine sink layers.
sources
Dynamic source resolution for Sigma pipelines.
tap
Live event-tap capture for the daemon.

Structs§

FieldCoverage
Borrowed view over a FieldObservation joined against a RuleFieldSet. Produced by FieldObservation::coverage.
FieldObservation
Immutable snapshot of an observer’s state at one moment in time.
FieldObservationEntry
Single field-name counter as exposed via the snapshot API.
FieldObserver
Capped, opt-in field-name counter shared across producers (the daemon’s event task, the eval streaming loop) and consumers (the daemon’s HTTP handlers, the eval report writer).
SchemaClassifier
Recognizes the schema of parsed events from a set of signatures.
SchemaCountEntry
One per-schema counter as exposed via SchemaObserver::snapshot.
SchemaObservation
Immutable snapshot of a SchemaObserver at one moment.
SchemaObserver
Opt-in counter that classifies each observed event and tallies per-schema (and unknown) totals. Mirrors the design of FieldObserver: shared behind an Arc, cheap repeated snapshots, monotonic lifetime counters for a Prometheus bridge. The schema set is small and bounded, so there is no key cap.

Enums§

SchemaError
Errors raised while loading user schema signatures.

Traits§

ProcessResultExt
Convenience iterators over a slice of EvaluationResult.

Functions§

load_schema_signatures
Load user schema signatures from a YAML file path.

Type Aliases§

ProcessResult
All EvaluationResults produced for a single input event.