Expand description
§rsigma-runtime
Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.
This crate extracts the streaming pipeline from the rsigma CLI daemon into
a reusable library. It provides:
- I/O adapters:
io::EventSourcetrait for inputs (stdin, NATS) andio::Sinkenum for outputs (stdout, file, NATS). - Engine wrapper:
RuntimeEnginewrapsrsigma-eval’sEngineandCorrelationEnginewith rule loading and state management. - Log processor:
LogProcessorcombines engine + metrics + event filtering into a batch processing pipeline with atomic hot-reload viaArcSwap. - Metrics abstraction:
MetricsHooktrait lets consumers plug in Prometheus, OpenTelemetry, or any other metrics backend without the runtime depending on a specific implementation.
§Example
use std::sync::Arc;
use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
use rsigma_eval::CorrelationConfig;
let mut engine = RuntimeEngine::new(
"rules/".into(),
vec![],
CorrelationConfig::default(),
false,
);
engine.load_rules().unwrap();
let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));
let batch = vec![r#"{"EventID": 1}"#.to_string()];
let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
for result in &results {
for r in result.iter().filter(|r| r.is_detection()) {
println!("Detection: {}", r.header.rule_title);
}
}Re-exports§
pub use engine::EngineStats;pub use engine::RuntimeEngine;pub use enrichment::CacheKey;pub use enrichment::CacheOutcome;pub use enrichment::CommandEnricher;pub use enrichment::EnrichError;pub use enrichment::EnrichErrorKind;pub use enrichment::Enricher;pub use enrichment::EnricherFactory;pub use enrichment::EnricherKind;pub use enrichment::EnrichmentPipeline;pub use enrichment::HttpEnricher;pub use enrichment::HttpEnricherClient;pub use enrichment::HttpResponseCache;pub use enrichment::LookupEnricher;pub use enrichment::OnError;pub use enrichment::OutputFormat;pub use enrichment::Scope;pub use enrichment::TemplateEnricher;pub use enrichment::TemplateError;pub use enrichment::build_default_http_client;pub use enrichment::lookup_builtin;pub use enrichment::register_builtin;pub use enrichment::validate_template_namespace;pub use error::RuntimeError;pub use input::EventInputDecoded;pub use input::InputFormat;pub use input::parse_line;pub use io::AckToken;pub use io::EventSource;pub use io::FileSink;pub use io::RawEvent;pub use io::Sink;pub use io::StdinSource;pub use io::StdoutSink;pub use io::spawn_source;pub use metrics::MetricsHook;pub use metrics::NoopMetrics;pub use processor::EventFilter;pub use processor::LogProcessor;pub use sources::refresh::RefreshResult;pub use sources::refresh::RefreshScheduler;pub use sources::refresh::RefreshTrigger;pub use sources::DefaultSourceResolver;pub use sources::ResolvedValue;pub use sources::SourceCache;pub use sources::SourceError;pub use sources::SourceErrorKind;pub use sources::SourceResolver;pub use sources::TemplateExpander;
Modules§
- engine
- enrichment
- Post-evaluation enrichment for the rsigma daemon.
- error
- input
- Input format adapters for the rsigma runtime.
- io
- metrics
- parse
- Log format parsers for the rsigma runtime.
- processor
- sources
- Dynamic source resolution for Sigma pipelines.
Structs§
- Field
Coverage - Borrowed view over a
FieldObservationjoined against aRuleFieldSet. Produced byFieldObservation::coverage. - Field
Observation - Immutable snapshot of an observer’s state at one moment in time.
- Field
Observation Entry - Single field-name counter as exposed via the snapshot API.
- Field
Observer - Capped, opt-in field-name counter shared across producers (the daemon’s event task, the eval streaming loop) and consumers (the daemon’s HTTP handlers, the eval report writer).
Traits§
- Process
Result Ext - Convenience iterators over a slice of
EvaluationResult.
Type Aliases§
- Process
Result - All
EvaluationResults produced for a single input event.