Crate rsigma_runtime

Expand description

§rsigma-runtime

Streaming runtime for rsigma — event sources, sinks, and log processing pipeline.

This crate extracts the streaming pipeline from the rsigma CLI daemon into a reusable library. It provides:

I/O adapters: io::EventSource trait for inputs (stdin, NATS) and io::Sink enum for outputs (stdout, file, NATS).
Engine wrapper: RuntimeEngine wraps rsigma-eval’s Engine and CorrelationEngine with rule loading and state management.
Log processor: LogProcessor combines engine + metrics + event filtering into a batch processing pipeline with atomic hot-reload via ArcSwap.
Metrics abstraction: MetricsHook trait lets consumers plug in Prometheus, OpenTelemetry, or any other metrics backend without the runtime depending on a specific implementation.

§Example

use std::sync::Arc;
use rsigma_runtime::{LogProcessor, RuntimeEngine, NoopMetrics};
use rsigma_eval::CorrelationConfig;

let mut engine = RuntimeEngine::new(
    "rules/".into(),
    vec![],
    CorrelationConfig::default(),
    false,
);
engine.load_rules().unwrap();

let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));

let batch = vec![r#"{"EventID": 1}"#.to_string()];
let results = processor.process_batch_lines(&batch, &|v| vec![v.clone()]);
for result in &results {
    for det in &result.detections {
        println!("Detection: {}", det.rule_title);
    }
}

Re-exports§

pub use engine::EngineStats;
pub use engine::RuntimeEngine;
pub use error::RuntimeError;
pub use input::EventInputDecoded;
pub use input::InputFormat;
pub use input::parse_line;
pub use io::EventSource;
pub use io::FileSink;
pub use io::Sink;
pub use io::StdinSource;
pub use io::StdoutSink;
pub use io::spawn_source;
pub use metrics::MetricsHook;
pub use metrics::NoopMetrics;
pub use processor::EventFilter;
pub use processor::LogProcessor;

Modules§

engine
error
input: Input format adapters for the rsigma runtime.
io
metrics
parse: Log format parsers for the rsigma runtime.
processor

Structs§

ProcessResult: Combined result from processing a single event.

Crate rsigma_runtime

Crate rsigma_runtime Copy item path

§rsigma-runtime

§Example

Re-exports§

Modules§

Structs§

Crate rsigma_runtime