Skip to main content

rsigma_runtime/
lib.rs

1//! # rsigma-runtime
2//!
3//! Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.
4//!
5//! This crate extracts the streaming pipeline from the `rsigma` CLI daemon into
6//! a reusable library. It provides:
7//!
8//! - **I/O adapters**: [`io::EventSource`] trait for inputs (stdin, NATS) and
9//!   [`io::Sink`] enum for outputs (stdout, file, NATS).
10//! - **Engine wrapper**: [`RuntimeEngine`] wraps `rsigma-eval`'s `Engine` and
11//!   `CorrelationEngine` with rule loading and state management.
12//! - **Log processor**: [`LogProcessor`] combines engine + metrics + event
13//!   filtering into a batch processing pipeline with atomic hot-reload via
14//!   `ArcSwap`.
15//! - **Metrics abstraction**: [`MetricsHook`] trait lets consumers plug in
16//!   Prometheus, OpenTelemetry, or any other metrics backend without the
17//!   runtime depending on a specific implementation.
18//!
19//! # Example
20//!
21//! ```rust,no_run
22//! use std::sync::Arc;
23//! use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
24//! use rsigma_eval::CorrelationConfig;
25//!
26//! let mut engine = RuntimeEngine::new(
27//!     "rules/".into(),
28//!     vec![],
29//!     CorrelationConfig::default(),
30//!     false,
31//! );
32//! engine.load_rules().unwrap();
33//!
34//! let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));
35//!
36//! let batch = vec![r#"{"EventID": 1}"#.to_string()];
37//! let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
38//! for result in &results {
39//!     for r in result.iter().filter(|r| r.is_detection()) {
40//!         println!("Detection: {}", r.header.rule_title);
41//!     }
42//! }
43//! ```
44
45pub mod alert_pipeline;
46pub mod dispositions;
47pub mod egress;
48pub mod engine;
49pub mod enrichment;
50pub mod error;
51pub mod input;
52pub mod io;
53pub mod metrics;
54pub mod parse;
55pub mod pipeline_deprecation;
56pub mod processor;
57pub mod risk;
58pub mod scope;
59pub mod selector;
60pub mod sources;
61pub mod tap;
62
63pub use alert_pipeline::{
64    AlertPipeline, AlertPipelineConfigError, AlertPipelineFile, AlertPipelineSnapshot,
65    AlertPipelineState, DEFAULT_MAX_DYNAMIC_SILENCES, DedupStore, GroupMode, IncidentRef,
66    IncidentResult, IncidentStore, IncludeMode, MatchOp, Matcher, MatcherError, MatcherSet,
67    MatcherSpec, SNAPSHOT_VERSION, Silence, SilenceError, SilenceOrigin, SilenceSpec, SilenceState,
68    SilenceStore, SilenceView, TickOutput, build_alert_pipeline, load_alert_pipeline_file,
69    parse_alert_pipeline_config,
70};
71pub use dispositions::{
72    Disposition, DispositionConfig, DispositionError, DispositionScope, DispositionSnapshot,
73    DispositionStore, IngestOutcome, Numerator, RawDisposition, RuleSummary, Verdict,
74    parse_dispositions, triage_feed,
75};
76pub use egress::{
77    EgressDenial, EgressFilteredResolver, EgressPolicy, default_egress_policy,
78    set_default_egress_policy,
79};
80pub use engine::{EngineStats, RoutingSpec, RuntimeEngine};
81pub use enrichment::config::{
82    EnricherConfig, EnrichersConfigError, EnrichersFile, build_enrichers, build_enrichers_full,
83    load_enrichers_file,
84};
85pub use enrichment::{
86    CacheKey, CacheOutcome, CommandEnricher, EnrichError, EnrichErrorKind, Enricher,
87    EnricherFactory, EnricherKind, EnrichmentPipeline, HttpEnricher, HttpEnricherClient,
88    HttpResponseCache, LookupEnricher, OnError, OutputFormat, Scope, TemplateEnricher,
89    TemplateError, build_default_http_client, lookup_builtin, register_builtin,
90    validate_template_namespace,
91};
92pub use error::RuntimeError;
93pub use input::{EventInputDecoded, InputFormat, parse_line};
94pub use io::webhook::{
95    BuiltWebhook, WebhookConfig, WebhookConfigError, WebhookKind, WebhookSink, WebhooksFile,
96    build_webhooks, load_webhooks_file,
97};
98pub use io::{
99    AckToken, DeliveryConfig, DeliveryContext, DeliveryFailure, DeliverySink, Dispatcher,
100    EventSource, FileSink, IncidentEnvelope, OnFull, RawEvent, Sink, StdinSource, StdoutSink,
101    spawn_source,
102};
103#[cfg(all(unix, feature = "uds"))]
104pub use io::{
105    UnixSocketGuard, UnixSocketSink, UnixSocketSource, bind_unix_listener, parse_unix_scheme,
106};
107pub use metrics::{MetricsHook, NoopMetrics};
108pub use pipeline_deprecation::warn_pipeline_inline_sources;
109pub use processor::{EventFilter, LogProcessor};
110pub use risk::{
111    IncidentConfig as RiskIncidentConfig, RiskCaps, RiskConfigError, RiskEntityView, RiskFile,
112    RiskIncidentResult, RiskLayer, RiskObject, RiskOutput, RiskRef, RiskState, RiskStateSnapshot,
113    SNAPSHOT_VERSION as RISK_SNAPSHOT_VERSION, build_risk_layer, load_risk_file, parse_risk_config,
114};
115pub use selector::{Selector, SelectorParseError};
116pub use tap::{TapPayload, TapRegistry, TapSessionHandle, TapStage};
117
118pub use rsigma_eval::{
119    FieldCoverage, FieldObservation, FieldObservationEntry, FieldObserver, ProcessResult,
120    ProcessResultExt, SchemaClassifier, SchemaCountEntry, SchemaError, SchemaObservation,
121    SchemaObserver, load_schema_signatures,
122};
123pub use sources::refresh::{RefreshResult, RefreshScheduler, RefreshTrigger, SourceSubscription};
124pub use sources::{
125    DefaultSourceResolver, ResolvedValue, SourceCache, SourceError, SourceErrorKind,
126    SourceResolver, TemplateExpander,
127};
128
129#[cfg(feature = "nats")]
130pub use io::{NatsConnectConfig, NatsSink, NatsSource, ReplayPolicy};
131
132#[cfg(feature = "evtx")]
133pub use input::evtx::{EvtxError, EvtxFileReader};
134
135#[cfg(feature = "otlp")]
136pub use io::otlp::{
137    ExportLogsServiceRequest, ExportLogsServiceResponse, LogsService, LogsServiceServer,
138    OtlpClientTls, OtlpProtocol, OtlpSink, evaluation_results_to_logs_request,
139    logs_request_to_raw_events,
140};