Skip to main content

Crate rsigma_runtime

Crate rsigma_runtime 

Source
Expand description

§rsigma-runtime

Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.

This crate extracts the streaming pipeline from the rsigma CLI daemon into a reusable library. It provides:

  • I/O adapters: io::EventSource trait for inputs (stdin, NATS) and io::Sink enum for outputs (stdout, file, NATS).
  • Engine wrapper: RuntimeEngine wraps rsigma-eval’s Engine and CorrelationEngine with rule loading and state management.
  • Log processor: LogProcessor combines engine + metrics + event filtering into a batch processing pipeline with atomic hot-reload via ArcSwap.
  • Metrics abstraction: MetricsHook trait lets consumers plug in Prometheus, OpenTelemetry, or any other metrics backend without the runtime depending on a specific implementation.

§Example

use std::sync::Arc;
use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
use rsigma_eval::CorrelationConfig;

let mut engine = RuntimeEngine::new(
    "rules/".into(),
    vec![],
    CorrelationConfig::default(),
    false,
);
engine.load_rules().unwrap();

let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));

let batch = vec![r#"{"EventID": 1}"#.to_string()];
let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
for result in &results {
    for r in result.iter().filter(|r| r.is_detection()) {
        println!("Detection: {}", r.header.rule_title);
    }
}

Re-exports§

pub use egress::EgressDenial;
pub use egress::EgressFilteredResolver;
pub use egress::EgressPolicy;
pub use egress::default_egress_policy;
pub use egress::set_default_egress_policy;
pub use engine::EngineStats;
pub use engine::RuntimeEngine;
pub use enrichment::CacheKey;
pub use enrichment::CacheOutcome;
pub use enrichment::CommandEnricher;
pub use enrichment::EnrichError;
pub use enrichment::EnrichErrorKind;
pub use enrichment::Enricher;
pub use enrichment::EnricherFactory;
pub use enrichment::EnricherKind;
pub use enrichment::EnrichmentPipeline;
pub use enrichment::HttpEnricher;
pub use enrichment::HttpEnricherClient;
pub use enrichment::HttpResponseCache;
pub use enrichment::LookupEnricher;
pub use enrichment::OnError;
pub use enrichment::OutputFormat;
pub use enrichment::Scope;
pub use enrichment::TemplateEnricher;
pub use enrichment::TemplateError;
pub use enrichment::build_default_http_client;
pub use enrichment::lookup_builtin;
pub use enrichment::register_builtin;
pub use enrichment::validate_template_namespace;
pub use error::RuntimeError;
pub use input::EventInputDecoded;
pub use input::InputFormat;
pub use input::parse_line;
pub use io::AckToken;
pub use io::EventSource;
pub use io::FileSink;
pub use io::RawEvent;
pub use io::Sink;
pub use io::StdinSource;
pub use io::StdoutSink;
pub use io::spawn_source;
pub use metrics::MetricsHook;
pub use metrics::NoopMetrics;
pub use pipeline_deprecation::warn_pipeline_inline_sources;
pub use processor::EventFilter;
pub use processor::LogProcessor;
pub use sources::refresh::RefreshResult;
pub use sources::refresh::RefreshScheduler;
pub use sources::refresh::RefreshTrigger;
pub use sources::DefaultSourceResolver;
pub use sources::ResolvedValue;
pub use sources::SourceCache;
pub use sources::SourceError;
pub use sources::SourceErrorKind;
pub use sources::SourceResolver;
pub use sources::TemplateExpander;

Modules§

egress
Egress policy enforcement for outbound HTTP traffic.
engine
enrichment
Post-evaluation enrichment for the rsigma daemon.
error
input
Input format adapters for the rsigma runtime.
io
metrics
parse
Log format parsers for the rsigma runtime.
pipeline_deprecation
Deprecation warnings for pipeline-embedded configuration that is being removed in a future release.
processor
sources
Dynamic source resolution for Sigma pipelines.

Structs§

FieldCoverage
Borrowed view over a FieldObservation joined against a RuleFieldSet. Produced by FieldObservation::coverage.
FieldObservation
Immutable snapshot of an observer’s state at one moment in time.
FieldObservationEntry
Single field-name counter as exposed via the snapshot API.
FieldObserver
Capped, opt-in field-name counter shared across producers (the daemon’s event task, the eval streaming loop) and consumers (the daemon’s HTTP handlers, the eval report writer).

Traits§

ProcessResultExt
Convenience iterators over a slice of EvaluationResult.

Type Aliases§

ProcessResult
All EvaluationResults produced for a single input event.