### Install RunReveal CLI using Homebrew Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx Installs the RunReveal CLI using the Homebrew package manager. This is the recommended method for macOS and Linux users to get started. ```bash brew tap runreveal/runreveal brew install runreveal ``` -------------------------------- ### Install and Initialize RunReveal CLI Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code.mdx Commands to install the RunReveal CLI using Homebrew and initialize it by logging into your RunReveal account. This setup is the first step for managing detections as code. ```bash brew tap runreveal/runreveal brew install runreveal runreveal init ``` -------------------------------- ### Markdown Example with Nextra Steps Component Source: https://github.com/runreveal/runreveal-docs/blob/main/STYLE_GUIDE.md A good example of structuring documentation using Markdown and the Nextra Steps component. It demonstrates how to create a clear, step-by-step guide for a process like creating an investigation, including descriptive text and formatting. ```markdown ## Creating an Investigation Investigations help you track security incidents from detection to resolution. Each investigation maintains a timeline of related artifacts, making it easy to document your analysis and share findings with your team. ### 1) Navigate to Investigations Go to **Investigations** in the sidebar and click **Open Investigation**. ### 2) Fill in Details Provide a descriptive title and optional description. Set the severity level to prioritize your work. ``` -------------------------------- ### Verify Local MCP CLI Connection (Bash) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx Tests the connection and authentication of your local RunReveal MCP setup by listing workspaces. This command helps ensure your API token and base URL are correctly configured. ```bash runreveal workspaces list ``` -------------------------------- ### Troubleshooting Common Issues Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx Guidance on resolving common errors encountered during Abnormal Security integration. ```APIDOC ## Troubleshooting Common Issues ### Description Resolves common problems encountered with the Abnormal Security integration. ### Issues #### 1. "Invalid API Key or Endpoint" - **Cause:** Incorrect API key, expired key, or wrong endpoint URL. - **Solution:** Verify API key, ensure it's active, confirm endpoint `https://api.abnormalsecurity.com/v1/events`, and check `Authorization` header format (`Bearer YOUR_API_KEY`). #### 2. "Insufficient Permissions" - **Cause:** API key lacks necessary permissions or account privileges are insufficient. - **Solution:** Ensure API key has `events:read`, `threats:read`, `users:read` permissions. Verify Abnormal Security account has admin access and the API key is active. #### 3. "No Events Found" - **Cause:** No recent threats detected, source not running long enough, or direct API issue. - **Solution:** Confirm active threat detection in Abnormal Security, allow 10-15 minutes for data, and test the API endpoint directly. #### 4. Rate Limiting - **Cause:** Exceeding Abnormal Security API rate limits. - **Solution:** RunReveal's polling interval is typically within limits. Contact Abnormal Security support if rate limiting persists. ``` -------------------------------- ### Initialize RunReveal CLI and Authenticate Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx Initializes the RunReveal CLI and prompts for authentication by opening a web browser. This step is crucial for associating the CLI with your RunReveal account. ```bash runreveal init ``` -------------------------------- ### Basic RRQ JSON Configuration Example Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/bring-your-own-cloud/rrq.mdx A foundational example of an RRQ configuration file in JSON format. It specifies essential parameters like database connection strings (ClickHouse and PostgreSQL), parallelism, and source definitions. This configuration is crucial for setting up RRQ's data ingestion and processing pipeline. ```json { "chdsn": "clickhouse://user:password@localhost:9000/dbname", "pprof": "localhost:6060", "backfillProcessor": false, "parallelism": 4, "watchdogTimeout": 300, "common": { "baseurl": "https://your-domain.com", "pgdsn": "postgres://user:password@localhost/dbname?sslmode=disable" }, "sources": [ { "type": "cloudtrail", "sqsQueue": "your_cloudtrail_queue" } ] } ``` -------------------------------- ### Install RunReveal CLI using Homebrew Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/how-to-guides/detections-signals-alerts-quick-start.mdx Installs the RunReveal Command Line Interface (CLI) using the Homebrew package manager. Ensure Homebrew is installed on your system before running this command. ```bash brew install runreveal/tap/runreveal ``` -------------------------------- ### Install RunReveal CLI Binary on Linux Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/how-to-guides/onboarding.mdx Install the RunReveal Command Line Interface (CLI) on Linux by downloading the binary, making it executable, and moving it to the system's PATH. This is an alternative installation method for detection-as-code workflows. ```bash curl -L https://github.com/runreveal/runreveal/releases/latest/download/runreveal-linux-amd64 -o runreveal chmod +x runreveal sudo mv runreveal /usr/local/bin/ ``` -------------------------------- ### Configure Local MCP Environment Variables (Bash) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx Sets up the necessary environment variables for the local RunReveal MCP server. This includes the API token, workspace ID, and base URL. Ensure you replace placeholder values with your actual credentials. ```bash export RUNREVEAL_TOKEN="your-api-token-here" export RUNREVEAL_WORKSPACE="your-workspace-id-here" export RUNREVEAL_BASEURL="https://api.runreveal.com" ``` ```bash export RUNREVEAL_BASEURL="https://api.YOUR_BASE_DOMAIN.runreveal.com" ``` -------------------------------- ### Test Configuration Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx Steps to test the Abnormal Security source configuration. ```APIDOC ## Test the Configuration ### Description Test the connection and settings for the Abnormal Security source. ### Steps 1. Click **"Verify Settings"** in the RunReveal UI. 2. A successful test will display a green checkmark. 3. If errors occur, verify the API key, account status, and network connectivity. ``` -------------------------------- ### Create New Detection using RunReveal CLI Wizard Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx Demonstrates the interactive wizard provided by the RunReveal CLI to create new detection files. The wizard prompts for necessary information like detection name, description, severity, and query type, then generates corresponding YAML and SQL files. ```bash :) runreveal detections create Detection name: my-detection Description: example for the docs. Categories (comma separated): aws, signal Severity: Low Risk Score (number): 10 ATT&CK classification: collection Enabled: true Query Type: sql Detection Created: my-detection.yaml my-detection.sql :) ``` -------------------------------- ### Abnormal Security Source Configuration Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx Configuration details for setting up the Abnormal Security REST API source in RunReveal. ```APIDOC ## Configure Source Settings ### Description Configure the settings for the Abnormal Security REST API source. ### Method N/A (Configuration Interface) ### Endpoint N/A (Configuration Interface) ### Parameters #### Settings - **Unique ID** (string) - Required - A unique identifier for this source (e.g., `abnormal-security-001`). - **API Endpoint** (string) - Required - The endpoint URL for the Abnormal Security API: `https://api.abnormalsecurity.com/v1/events`. - **HTTP Method** (string) - Required - The HTTP method to use: `GET`. - **Headers** (object) - Required - Key-value pairs for request headers. - `Authorization` (string) - Required - Bearer token for authentication: `Bearer YOUR_API_KEY`. - `Content-Type` (string) - Required - `application/json`. - `Accept` (string) - Required - `application/json`. ``` -------------------------------- ### Complete Production Configuration Example (JSON) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/reveald.mdx This comprehensive JSON configuration illustrates a production setup for Reveald, combining both file and Syslog sources with a RunReveal destination. It includes settings for batching and flush intervals, and uses an environment variable for the webhook URL. ```json { "sources": { "app-logs": { "type": "file", "path": "/var/log/application/", "extension": ".log", "codec": "json", "startAt": "end" }, "nginx-syslog": { "type": "syslog", "addr": "0.0.0.0:5514", "contentType": "application/json" } }, "destinations": { "runreveal-prod": { "type": "runreveal", "webhookURL": "${RUNREVEAL_WEBHOOK_URL}", "batchSize": 100, "flushInterval": "10s" } } } ``` -------------------------------- ### Fluentd Configuration for RunReveal Webhook Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/teleport.mdx Example `fluent.conf` to configure Fluentd to send events to a RunReveal webhook. This setup includes buffer configuration to handle high event volumes and prevent data loss. Ensure to replace `YOUR_WEBHOOK_URL` with your actual RunReveal webhook URL. ```xml @type http port 8888 bind 0.0.0.0 @type json json_parser oj # This time format is used by the plugin. This field is required. time_type string time_format %Y-%m-%dT%H:%M:%S # If the number of events is high, fluentd will start failing the ingestion # with the following error message: buffer space has too many data errors. # The following configuration prevents data loss in case of a restart and # overcomes the limitations of the default fluentd buffer configuration. # This configuration is optional. # See https://docs.fluentd.org/configuration/buffer-section for more details. @type file flush_thread_count 8 flush_interval 1s chunk_limit_size 10M queue_limit_length 16 retry_max_interval 30 retry_forever true # Send all events to RunReveal webhook @type http endpoint https://api.runreveal.com/sources/teleport/webhook/YOUR_WEBHOOK_URL headers {"Content-Type":"application/json"} http_method post open_timeout 5 read_timeout 10 @type json @type memory flush_interval 5s retry_forever true ``` -------------------------------- ### Install Vector from Binary Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/vector.mdx Installs Vector by downloading and extracting the binary for Linux or macOS. It places the binary in the system's PATH and verifies the installation. Supports both Intel and Apple Silicon Macs. ```bash # Linux x86_64 curl -L https://github.com/vectordotdev/vector/releases/latest/download/vector-x86_64-unknown-linux-gnu.tar.gz | tar -xz sudo mv vector-*/bin/vector /usr/local/bin/ # macOS (Intel) curl -L https://github.com/vectordotdev/vector/releases/latest/download/vector-x86_64-apple-darwin.tar.gz | tar -xz sudo mv vector-*/bin/vector /usr/local/bin/ # macOS (Apple Silicon) curl -L https://github.com/vectordotdev/vector/releases/latest/download/vector-aarch64-apple-darwin.tar.gz | tar -xz sudo mv vector-*/bin/vector /usr/local/bin/ # Verify installation vector --version ``` -------------------------------- ### Install Fluent Bit - Ubuntu/Debian Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx Installs Fluent Bit on Ubuntu/Debian systems by adding the official repository and then installing the package. Includes verification. ```bash # Add repository wget -qO - https://packages.fluentbit.io/fluentbit.key | sudo apt-key add - echo "deb https://packages.fluentbit.io/ubuntu/focal focal main" | sudo tee /etc/apt/sources.list.d/fluent-bit.list # Install Fluent Bit sudo apt update sudo apt install fluent-bit # Verify installation fluent-bit --version ``` -------------------------------- ### Install Optional Dependencies for Parsing Source: https://github.com/runreveal/runreveal-docs/blob/main/scripts/SOURCE-SYNC-README.md Installs optional development dependencies that enhance the parsing capabilities of the sync scripts. These include `@typescript-eslint/parser` for improved TypeScript parsing and `ajv` for JSON schema validation. The script falls back to regex if these are not installed. ```bash npm install --save-dev @typescript-eslint/parser ajv ``` -------------------------------- ### Detection Query with Time Windowing (SQL) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx An example SQL query for a RunReveal detection that utilizes time windowing. It uses the `receivedAt` timestamp and the `{from:DateTime}` and `{to:DateTime}` parameters for accurate log analysis, avoiding issues with delayed event times. ```sql select * from logs where eventName='example' and receivedAt BETWEEN {from:DateTime} and {to:DateTime} ``` -------------------------------- ### Fluent Bit Tail Input Configuration Example Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx Example configuration for the Fluent Bit `tail` input plugin. It specifies the file path to monitor, the parser to use for log entries, and options for reading from the head or tail of the file, database for tracking positions, and refresh interval. ```ini [INPUT] Name tail Path /var/log/app/*.log Tag app_logs Parser json Read_from_Head false DB /var/log/fluent-bit-app.db Refresh_Interval 5 ``` -------------------------------- ### Data Ingestion and Verification Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx Instructions for monitoring and verifying data ingestion from Abnormal Security. ```APIDOC ## Monitor and Verify Data Ingestion ### Description Verify that Abnormal Security events are being collected by RunReveal. ### Steps 1. After saving the source, wait 5-10 minutes. 2. Navigate to **Logs** in the RunReveal dashboard. 3. Filter by **Source Type**: `rest_api_collector`. 4. Check for the appearance of Abnormal Security events. ### Verified Event Types - Email Threats - User Behavior - Security Incidents - Threat Intelligence - Policy Violations ``` -------------------------------- ### Install Fluent Bit - Binary Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx Downloads and installs the latest Fluent Bit binary for Linux and macOS (Intel) systems, placing it in the system's PATH. Includes verification. ```bash # Download latest binary for Linux wget https://github.com/fluent/fluent-bit/releases/latest/download/fluent-bit-linux-x86_64.tar.gz tar -xzf fluent-bit-linux-x86_64.tar.gz sudo mv fluent-bit/bin/fluent-bit /usr/local/bin/ # macOS (Intel) wget https://github.com/fluent/fluent-bit/releases/latest/download/fluent-bit-macos-x86_64.tar.gz tar -xzf fluent-bit-macos-x86_64.tar.gz sudo mv fluent-bit/bin/fluent-bit /usr/local/bin/ # Verify installation fluent-bit --version ``` -------------------------------- ### Install Vector using Docker Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/vector.mdx Sets up and runs Vector as a Docker container, mounting a local directory for configuration and the host's log directory. Verifies the container is running. ```bash # Pull Vector image docker pull timberio/vector:latest-alpine # Create config directory mkdir -p $(pwd)/vector-config # Run Vector container docker run -d \ --name vector \ -v $(pwd)/vector-config:/etc/vector \ -v /var/log:/var/log:ro \ timberio/vector:latest-alpine # Verify container is running docker ps | grep vector ``` -------------------------------- ### Tag Internal Network Traffic Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/logs/log-processing/getting-started.mdx This example illustrates creating an enrichment named 'network-classification' to tag internal network traffic. It uses the 'src.ip' field to identify internal IPs and adds relevant metadata for downstream processing. The example focuses on the setup steps for creating such an enrichment. -------------------------------- ### Querying Custom Views - SQL Examples Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/logs/custom-views.mdx Demonstrates basic and security-focused SQL queries for the custom view 'workspace_app_security_analysis'. Includes selecting all records, specific columns, filtering by risk, and identifying failed attempts. ```sql -- Get all records from the custom view SELECT * FROM workspace_app_security_analysis LIMIT 10; -- Get specific columns SELECT receivedAt, user_email, user_role, request_ip, response_status FROM workspace_app_security_analysis ORDER BY receivedAt DESC; ``` ```sql -- Find high-risk events SELECT receivedAt, user_email, user_role, request_ip, risk_score, country FROM workspace_app_security_analysis WHERE is_high_risk = true ORDER BY receivedAt DESC LIMIT 100; -- Find failed authentication attempts SELECT receivedAt, user_email, request_ip, response_status, country FROM workspace_app_security_analysis WHERE response_status = 401 ORDER BY receivedAt DESC; -- Find admin users from unusual locations SELECT receivedAt, user_email, request_ip, country, risk_score FROM workspace_app_security_analysis WHERE user_role = 'admin' AND country NOT IN ('US', 'CA', 'GB') ORDER BY risk_score DESC; ``` -------------------------------- ### Start and Test Fluent Bit Configuration Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx Bash commands to test and run Fluent Bit. The `--dry-run` flag checks the configuration syntax, while running without it starts Fluent Bit in the foreground for monitoring. Output examples show successful startup messages. ```bash # Make sure you're in the fluent-bit directory cd fluent-bit # Test the configuration fluent-bit -c fluent-bit.conf --dry-run # Run Fluent Bit in foreground fluent-bit -c fluent-bit.conf # You should see output like: # [info] [output:http:http.0] worker #0 started # [info] [engine] started (pid=12345) ``` -------------------------------- ### Example MDX Documentation Page Structure Source: https://github.com/runreveal/runreveal-docs/blob/main/scripts/SOURCE-SYNC-README.md Demonstrates the typical structure of an MDX documentation page generated for a source. These pages are initially templates and should be customized with service-specific details, screenshots, and notes. ```markdown --- sidebar_label: Okta --- # Okta Okta provides identity and access management services. ![Okta Logo](/logos/okta.png) ## Setup ### Ingest Methods * **Polling**: Set up API credentials in Okta. * **Webhook**: Configure a webhook in Okta to send events to RunReveal. ## Configuration ### Polling Follow these steps to configure polling for Okta: 1. Log in to your Okta admin console. 2. Navigate to API settings. 3. Create a new API token. 4. Enter the token and your Okta domain in RunReveal. ### Webhook To set up webhooks, create an endpoint in RunReveal and configure Okta to send events to that URL. **SNS Topic ARN (for S3 ingest):** `arn:aws:sns:us-east-1:123456789012:runreveal-okta-events` ## Details * **Categories**: `identity`, `saas` * **Plan**: `ent` *You should customize this page with service-specific screenshots and exact field names from the Okta UI.* ``` -------------------------------- ### Get Alert Details from Notification History (Bash) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/notifications/history-api.mdx This bash example shows how to get alert details by first listing notification history and then querying logs based on the alert ID. It uses 'curl' and 'jq' to parse the results and construct the log query, requiring token, workspace ID, and handling the response extraction. ```shell $ TOKEN="" $ WKSPCID="" $ RESULT=$(curl -H "Authorization: Basic ${TOKEN}" -H "Content-type: application/json" "https://api.runreveal.com/notification-history/list?workspaceid=${WKSPCID}") $ ALERTID=$(echo $RESULT | jq -r '.result.[0].alertID') $ curl -H "Authorization: Basic ${TOKEN}" -H "Content-type: application/json" "https://api.runreveal.com/logs/query/v3?workspaceid=${WKSPCID}" --data-raw "{\"query\": \"SELECT * FROM detections WHERE scheduledRunID == '${ALERTID}'\"}" ``` -------------------------------- ### Example Prompt Text with Argument Placeholders Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/custom-prompts.mdx An example of prompt text demonstrating the use of Handlebars templating to dynamically insert user-provided arguments like 'pattern' and 'logs'. ```text Please analyze the following logs for the pattern "{{pattern}}": {{logs}} Provide a detailed analysis including: - Pattern matches found - Frequency of occurrences - Potential security implications - Recommended actions ``` -------------------------------- ### Query Abnormal Security Logs in RunReveal Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx This SQL query retrieves the first 10 records from the 'abnormal_logs' table in RunReveal, used to verify successful ingestion of Abnormal Security data. ```sql SELECT * FROM abnormal_logs LIMIT 10 ``` -------------------------------- ### Create SQL Detection Configuration File Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/how-to-guides/detections-signals-alerts-quick-start.mdx Defines a SQL detection's metadata, including its name, description, type (sql), the associated query file, categories, scheduling, severity, and risk score. This YAML file specifies how the detection should behave and be categorized. ```yaml name: test-suspicious-login displayName: Test Suspicious Login Detection description: Detects suspicious login attempts from specific IPs type: sql file: test-suspicious-login.sql categories: - authentication - test sourceTypes: - structured-webhook schedule: "*/5 * * * *" severity: medium riskScore: 50 ``` -------------------------------- ### Test Local MCP Token Authentication (Bash) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx Verifies that your API token is correctly authenticated with the RunReveal MCP server by running a simple query. This is useful for troubleshooting authentication problems. ```bash runreveal logs query "SELECT 1 LIMIT 1" ``` -------------------------------- ### AI Query for MITRE ATT&CK Detections Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/writing-detections.mdx This bash example demonstrates a natural language query to RunReveal's AI chat for generating detections focused on specific MITRE ATT&CK tactics based on historical log data from a particular source. ```bash Review logs from my github source for the past day and suggest detections for the most critical MITRE tactics ``` -------------------------------- ### Configure Local MCP Server for Claude/Cursor (JSON) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx This JSON configuration is used within Claude or Cursor to set up the local RunReveal MCP server. It specifies the command, arguments, and environment variables required for the connection. ```json { "mcpServers": { "runreveal": { "command": "runreveal", "args": ["mcp"], "env": { "RUNREVEAL_TOKEN": "your-api-token-here", "RUNREVEAL_WORKSPACE": "your-workspace-id-here", "RUNREVEAL_BASEURL": "https://api.runreveal.com" } } } } ``` -------------------------------- ### RunReveal Workspaces CLI Overview Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/reference/using-the-cli.mdx Provides a general overview of the RunReveal workspaces CLI commands. It outlines the main actions available such as managing users and switching workspaces. ```bash Usage: runreveal workspaces [command] Available Commands: current Show active workspace invite-user list list-users remove-user use Switch to a different workspace Flags: -h, --help help for workspaces Global Flags: --header-file string File containing headers to be used by the http client ``` -------------------------------- ### Docker Compose Example for Reveald (YAML) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/reveald.mdx This YAML file defines a Docker Compose setup for the Reveald log forwarder. It specifies the image to use, container configuration, volume mounts for configuration and logs, environment variables, and logging driver options. ```yaml # docker-compose.yml version: '3.8' services: reveald: image: runreveal/reveald:latest container_name: reveald restart: unless-stopped volumes: - ./config.json:/config.json:ro - /var/log:/logs:ro environment: - RUNREVEAL_WEBHOOK_URL=${RUNREVEAL_WEBHOOK_URL} command: run --config /config.json logging: driver: "json-file" options: max-size: "10m" max-file: "3" ``` -------------------------------- ### Install Fluent Bit - Docker Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx Pulls the latest Fluent Bit Docker image and runs it as a detached container, mounting a local configuration file and log directory. Includes verification. ```bash # Pull Fluent Bit image docker pull fluent/fluent-bit:latest # Run Fluent Bit container docker run -d \ --name fluent-bit \ -v $(pwd)/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf \ -v $(pwd)/logs:/logs \ fluent/fluent-bit:latest # Verify container is running docker ps | grep fluent-bit ``` -------------------------------- ### RRSCH Configuration with Environment Variables Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/bring-your-own-cloud/rrsch.mdx Example of an RRSCH JSON configuration where sensitive or environment-specific settings, like the PostgreSQL Data Source Name (DSN), are referenced using environment variables. This enhances security and flexibility by allowing configuration to be managed outside the JSON file. ```json { "common": { "pgdsn": "$POSTGRES_DSN" } } ``` -------------------------------- ### Sync Sources and Generate Documentation Pages Source: https://github.com/runreveal/runreveal-docs/blob/main/scripts/SOURCE-SYNC-README.md This command syncs source metadata, updates `data/sources.json` for source cards, and generates MDX documentation pages for sources that lack them. It also updates `_meta.ts` files. Use this command to create both source cards and documentation pages. ```bash # Generate pages for all missing sources npm run build-source-pages # Preview what would be generated (dry run) npm run sync-sources -- --generate-pages --dry-run --verbose # List sources missing documentation npm run sync-sources -- --list-missing ``` -------------------------------- ### Create Test JSON Logs Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx Creates a directory named 'fluent-bit' and generates a sample 'application.log' file containing multiple JSON-formatted log events. Uses 'jq' to ensure valid JSON output. ```bash # Create fluent-bit directory for testing mkdir -p fluent-bit cd fluent-bit # Create sample JSON logs (each line is a separate JSON event) cat > application.log << 'EOF' {"eventName":"UserLogin","eventTime":"2025-01-15T10:30:00Z","actor":{"email":"admin@example.com","id":"USR001"},"service":{"name":"webapp"},"src":{"ip":"192.168.1.100"}} {"eventName":"FileAccess","eventTime":"2025-01-15T10:31:00Z","actor":{"email":"user@example.com","id":"USR002"},"service":{"name":"webapp"},"src":{"ip":"192.168.1.101"}} {"eventName":"DataExport","eventTime":"2025-01-15T10:32:00Z","actor":{"email":"analyst@example.com","id":"USR003"},"service":{"name":"webapp"},"src":{"ip":"192.168.1.102"}} EOF # Verify logs were created echo "Test logs created:" cat application.log | jq -c '.' ``` -------------------------------- ### Systemd Service Management Commands (Bash) Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/reveald.mdx These bash commands are used to set up and manage the Reveald systemd service. They cover user creation, directory setup, configuration file copying, service enablement, starting, and status checking, including log monitoring via journalctl. ```bash # Create user and directories sudo useradd -r -s /bin/false reveald sudo mkdir -p /etc/reveald sudo chown reveald:reveald /etc/reveald # Copy configuration sudo cp config.json /etc/reveald/ sudo chown reveald:reveald /etc/reveald/config.json # Enable and start service sudo systemctl daemon-reload sudo systemctl enable reveald sudo systemctl start reveald # Check status sudo systemctl status reveald sudo journalctl -u reveald -f ```