Streaming runtime for rsigma — input format adapters, batch log processing, hot-reload, and pluggable metrics.
- Input adapters: JSON/NDJSON, syslog (RFC 3164/5424), logfmt, CEF, plain text, and auto-detect. Each adapter parses raw log lines into typed events implementing the
rsigma_eval::Eventtrait. LogProcessor: batch evaluation pipeline with atomic engine swap viaArcSwap,MetricsHookfor pluggable metrics, andEventFilterfor JSON payload extraction.RuntimeEngine: wrapsEngineandCorrelationEnginewith rule loading, reload, and correlation state management.- I/O:
EventSourcetrait (stdin, HTTP, NATS) andSinkenum (stdout, file, NATS) with fan-out support. - OTLP:
LogRecord-to-JSON conversion for OpenTelemetry log ingestion (feature-gated underotlp). Resource and log attributes are flattened for direct Sigma rule matching.
use std::sync::Arc;
use rsigma_eval::CorrelationConfig;
use rsigma_runtime::{InputFormat, LogProcessor, NoopMetrics, RuntimeEngine};
let mut engine = RuntimeEngine::new(
"rules/".into(),
vec![],
CorrelationConfig::default(),
false,
);
engine.load_rules().unwrap();
let processor = LogProcessor::new(engine, Arc::new(NoopMetrics));
let batch = vec![r#"{"CommandLine": "cmd /c whoami"}"#.to_string()];
let results = processor.process_batch_with_format(
&batch,
&InputFormat::Json,
None,
);See the examples directory for complete working programs.
| Flag | Description |
|---|---|
logfmt |
Enable logfmt input adapter |
cef |
Enable CEF (ArcSight) input adapter |
evtx |
Enable EVTX (Windows Event Log) input adapter |
nats |
Enable NATS JetStream source and sink |
otlp |
Enable OTLP log ingestion types and LogRecord-to-JSON conversion |
MIT