Skip to main content

rsigma_runtime/
lib.rs

1//! # rsigma-runtime
2//!
3//! Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.
4//!
5//! This crate extracts the streaming pipeline from the `rsigma` CLI daemon into
6//! a reusable library. It provides:
7//!
8//! - **I/O adapters**: [`io::EventSource`] trait for inputs (stdin, NATS) and
9//!   [`io::Sink`] enum for outputs (stdout, file, NATS).
10//! - **Engine wrapper**: [`RuntimeEngine`] wraps `rsigma-eval`'s `Engine` and
11//!   `CorrelationEngine` with rule loading and state management.
12//! - **Log processor**: [`LogProcessor`] combines engine + metrics + event
13//!   filtering into a batch processing pipeline with atomic hot-reload via
14//!   `ArcSwap`.
15//! - **Metrics abstraction**: [`MetricsHook`] trait lets consumers plug in
16//!   Prometheus, OpenTelemetry, or any other metrics backend without the
17//!   runtime depending on a specific implementation.
18//!
19//! # Example
20//!
21//! ```rust,no_run
22//! use std::sync::Arc;
23//! use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
24//! use rsigma_eval::CorrelationConfig;
25//!
26//! let mut engine = RuntimeEngine::new(
27//!     "rules/".into(),
28//!     vec![],
29//!     CorrelationConfig::default(),
30//!     false,
31//! );
32//! engine.load_rules().unwrap();
33//!
34//! let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));
35//!
36//! let batch = vec![r#"{"EventID": 1}"#.to_string()];
37//! let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
38//! for result in &results {
39//!     for r in result.iter().filter(|r| r.is_detection()) {
40//!         println!("Detection: {}", r.header.rule_title);
41//!     }
42//! }
43//! ```
44
45pub mod egress;
46pub mod engine;
47pub mod enrichment;
48pub mod error;
49pub mod input;
50pub mod io;
51pub mod metrics;
52pub mod parse;
53pub mod pipeline_deprecation;
54pub mod processor;
55pub mod sources;
56pub mod tap;
57
58pub use egress::{
59    EgressDenial, EgressFilteredResolver, EgressPolicy, default_egress_policy,
60    set_default_egress_policy,
61};
62pub use engine::{EngineStats, RuntimeEngine};
63pub use enrichment::config::{
64    EnricherConfig, EnrichersConfigError, EnrichersFile, build_enrichers, build_enrichers_full,
65    load_enrichers_file,
66};
67pub use enrichment::{
68    CacheKey, CacheOutcome, CommandEnricher, EnrichError, EnrichErrorKind, Enricher,
69    EnricherFactory, EnricherKind, EnrichmentPipeline, HttpEnricher, HttpEnricherClient,
70    HttpResponseCache, LookupEnricher, OnError, OutputFormat, Scope, TemplateEnricher,
71    TemplateError, build_default_http_client, lookup_builtin, register_builtin,
72    validate_template_namespace,
73};
74pub use error::RuntimeError;
75pub use input::{EventInputDecoded, InputFormat, parse_line};
76pub use io::webhook::{
77    BuiltWebhook, WebhookConfig, WebhookConfigError, WebhookKind, WebhookSink, WebhooksFile,
78    build_webhooks, load_webhooks_file,
79};
80pub use io::{
81    AckToken, DeliveryConfig, DeliveryFailure, DeliverySink, Dispatcher, EventSource, FileSink,
82    OnFull, RawEvent, Sink, StdinSource, StdoutSink, spawn_source,
83};
84pub use metrics::{MetricsHook, NoopMetrics};
85pub use pipeline_deprecation::warn_pipeline_inline_sources;
86pub use processor::{EventFilter, LogProcessor};
87pub use tap::{TapPayload, TapRegistry, TapSessionHandle, TapStage};
88
89pub use rsigma_eval::{
90    FieldCoverage, FieldObservation, FieldObservationEntry, FieldObserver, ProcessResult,
91    ProcessResultExt,
92};
93pub use sources::refresh::{RefreshResult, RefreshScheduler, RefreshTrigger};
94pub use sources::{
95    DefaultSourceResolver, ResolvedValue, SourceCache, SourceError, SourceErrorKind,
96    SourceResolver, TemplateExpander,
97};
98
99#[cfg(feature = "nats")]
100pub use io::{NatsConnectConfig, NatsSink, NatsSource, ReplayPolicy};
101
102#[cfg(feature = "evtx")]
103pub use input::evtx::{EvtxError, EvtxFileReader};
104
105#[cfg(feature = "otlp")]
106pub use io::otlp::{
107    ExportLogsServiceRequest, ExportLogsServiceResponse, LogsService, LogsServiceServer,
108    OtlpClientTls, OtlpProtocol, OtlpSink, evaluation_results_to_logs_request,
109    logs_request_to_raw_events,
110};