### Install RunReveal CLI using Homebrew
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx
Installs the RunReveal CLI using the Homebrew package manager. This is the recommended method for macOS and Linux users to get started.
```bash
brew tap runreveal/runreveal
brew install runreveal
```
--------------------------------
### Install and Initialize RunReveal CLI
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code.mdx
Commands to install the RunReveal CLI using Homebrew and initialize it by logging into your RunReveal account. This setup is the first step for managing detections as code.
```bash
brew tap runreveal/runreveal
brew install runreveal
runreveal init
```
--------------------------------
### Markdown Example with Nextra Steps Component
Source: https://github.com/runreveal/runreveal-docs/blob/main/STYLE_GUIDE.md
A good example of structuring documentation using Markdown and the Nextra Steps component. It demonstrates how to create a clear, step-by-step guide for a process like creating an investigation, including descriptive text and formatting.
```markdown
## Creating an Investigation
Investigations help you track security incidents from detection to resolution. Each investigation maintains a timeline of related artifacts, making it easy to document your analysis and share findings with your team.
### 1) Navigate to Investigations
Go to **Investigations** in the sidebar and click **Open Investigation**.
### 2) Fill in Details
Provide a descriptive title and optional description. Set the severity level to prioritize your work.
```
--------------------------------
### Verify Local MCP CLI Connection (Bash)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx
Tests the connection and authentication of your local RunReveal MCP setup by listing workspaces. This command helps ensure your API token and base URL are correctly configured.
```bash
runreveal workspaces list
```
--------------------------------
### Troubleshooting Common Issues
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx
Guidance on resolving common errors encountered during Abnormal Security integration.
```APIDOC
## Troubleshooting Common Issues
### Description
Resolves common problems encountered with the Abnormal Security integration.
### Issues
#### 1. "Invalid API Key or Endpoint"
- **Cause:** Incorrect API key, expired key, or wrong endpoint URL.
- **Solution:** Verify API key, ensure it's active, confirm endpoint `https://api.abnormalsecurity.com/v1/events`, and check `Authorization` header format (`Bearer YOUR_API_KEY`).
#### 2. "Insufficient Permissions"
- **Cause:** API key lacks necessary permissions or account privileges are insufficient.
- **Solution:** Ensure API key has `events:read`, `threats:read`, `users:read` permissions. Verify Abnormal Security account has admin access and the API key is active.
#### 3. "No Events Found"
- **Cause:** No recent threats detected, source not running long enough, or direct API issue.
- **Solution:** Confirm active threat detection in Abnormal Security, allow 10-15 minutes for data, and test the API endpoint directly.
#### 4. Rate Limiting
- **Cause:** Exceeding Abnormal Security API rate limits.
- **Solution:** RunReveal's polling interval is typically within limits. Contact Abnormal Security support if rate limiting persists.
```
--------------------------------
### Initialize RunReveal CLI and Authenticate
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx
Initializes the RunReveal CLI and prompts for authentication by opening a web browser. This step is crucial for associating the CLI with your RunReveal account.
```bash
runreveal init
```
--------------------------------
### Basic RRQ JSON Configuration Example
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/bring-your-own-cloud/rrq.mdx
A foundational example of an RRQ configuration file in JSON format. It specifies essential parameters like database connection strings (ClickHouse and PostgreSQL), parallelism, and source definitions. This configuration is crucial for setting up RRQ's data ingestion and processing pipeline.
```json
{
"chdsn": "clickhouse://user:password@localhost:9000/dbname",
"pprof": "localhost:6060",
"backfillProcessor": false,
"parallelism": 4,
"watchdogTimeout": 300,
"common": {
"baseurl": "https://your-domain.com",
"pgdsn": "postgres://user:password@localhost/dbname?sslmode=disable"
},
"sources": [
{
"type": "cloudtrail",
"sqsQueue": "your_cloudtrail_queue"
}
]
}
```
--------------------------------
### Install RunReveal CLI using Homebrew
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/how-to-guides/detections-signals-alerts-quick-start.mdx
Installs the RunReveal Command Line Interface (CLI) using the Homebrew package manager. Ensure Homebrew is installed on your system before running this command.
```bash
brew install runreveal/tap/runreveal
```
--------------------------------
### Install RunReveal CLI Binary on Linux
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/how-to-guides/onboarding.mdx
Install the RunReveal Command Line Interface (CLI) on Linux by downloading the binary, making it executable, and moving it to the system's PATH. This is an alternative installation method for detection-as-code workflows.
```bash
curl -L https://github.com/runreveal/runreveal/releases/latest/download/runreveal-linux-amd64 -o runreveal
chmod +x runreveal
sudo mv runreveal /usr/local/bin/
```
--------------------------------
### Configure Local MCP Environment Variables (Bash)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx
Sets up the necessary environment variables for the local RunReveal MCP server. This includes the API token, workspace ID, and base URL. Ensure you replace placeholder values with your actual credentials.
```bash
export RUNREVEAL_TOKEN="your-api-token-here"
export RUNREVEAL_WORKSPACE="your-workspace-id-here"
export RUNREVEAL_BASEURL="https://api.runreveal.com"
```
```bash
export RUNREVEAL_BASEURL="https://api.YOUR_BASE_DOMAIN.runreveal.com"
```
--------------------------------
### Test Configuration
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx
Steps to test the Abnormal Security source configuration.
```APIDOC
## Test the Configuration
### Description
Test the connection and settings for the Abnormal Security source.
### Steps
1. Click **"Verify Settings"** in the RunReveal UI.
2. A successful test will display a green checkmark.
3. If errors occur, verify the API key, account status, and network connectivity.
```
--------------------------------
### Create New Detection using RunReveal CLI Wizard
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx
Demonstrates the interactive wizard provided by the RunReveal CLI to create new detection files. The wizard prompts for necessary information like detection name, description, severity, and query type, then generates corresponding YAML and SQL files.
```bash
:) runreveal detections create
Detection name: my-detection
Description: example for the docs.
Categories (comma separated): aws, signal
Severity: Low
Risk Score (number): 10
ATT&CK classification: collection
Enabled: true
Query Type: sql
Detection Created:
my-detection.yaml
my-detection.sql
:)
```
--------------------------------
### Abnormal Security Source Configuration
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx
Configuration details for setting up the Abnormal Security REST API source in RunReveal.
```APIDOC
## Configure Source Settings
### Description
Configure the settings for the Abnormal Security REST API source.
### Method
N/A (Configuration Interface)
### Endpoint
N/A (Configuration Interface)
### Parameters
#### Settings
- **Unique ID** (string) - Required - A unique identifier for this source (e.g., `abnormal-security-001`).
- **API Endpoint** (string) - Required - The endpoint URL for the Abnormal Security API: `https://api.abnormalsecurity.com/v1/events`.
- **HTTP Method** (string) - Required - The HTTP method to use: `GET`.
- **Headers** (object) - Required - Key-value pairs for request headers.
- `Authorization` (string) - Required - Bearer token for authentication: `Bearer YOUR_API_KEY`.
- `Content-Type` (string) - Required - `application/json`.
- `Accept` (string) - Required - `application/json`.
```
--------------------------------
### Complete Production Configuration Example (JSON)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/reveald.mdx
This comprehensive JSON configuration illustrates a production setup for Reveald, combining both file and Syslog sources with a RunReveal destination. It includes settings for batching and flush intervals, and uses an environment variable for the webhook URL.
```json
{
"sources": {
"app-logs": {
"type": "file",
"path": "/var/log/application/",
"extension": ".log",
"codec": "json",
"startAt": "end"
},
"nginx-syslog": {
"type": "syslog",
"addr": "0.0.0.0:5514",
"contentType": "application/json"
}
},
"destinations": {
"runreveal-prod": {
"type": "runreveal",
"webhookURL": "${RUNREVEAL_WEBHOOK_URL}",
"batchSize": 100,
"flushInterval": "10s"
}
}
}
```
--------------------------------
### Fluentd Configuration for RunReveal Webhook
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/teleport.mdx
Example `fluent.conf` to configure Fluentd to send events to a RunReveal webhook. This setup includes buffer configuration to handle high event volumes and prevent data loss. Ensure to replace `YOUR_WEBHOOK_URL` with your actual RunReveal webhook URL.
```xml
@type http
port 8888
bind 0.0.0.0
@type json
json_parser oj
# This time format is used by the plugin. This field is required.
time_type string
time_format %Y-%m-%dT%H:%M:%S
# If the number of events is high, fluentd will start failing the ingestion
# with the following error message: buffer space has too many data errors.
# The following configuration prevents data loss in case of a restart and
# overcomes the limitations of the default fluentd buffer configuration.
# This configuration is optional.
# See https://docs.fluentd.org/configuration/buffer-section for more details.
@type file
flush_thread_count 8
flush_interval 1s
chunk_limit_size 10M
queue_limit_length 16
retry_max_interval 30
retry_forever true
# Send all events to RunReveal webhook
@type http
endpoint https://api.runreveal.com/sources/teleport/webhook/YOUR_WEBHOOK_URL
headers {"Content-Type":"application/json"}
http_method post
open_timeout 5
read_timeout 10
@type json
@type memory
flush_interval 5s
retry_forever true
```
--------------------------------
### Install Vector from Binary
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/vector.mdx
Installs Vector by downloading and extracting the binary for Linux or macOS. It places the binary in the system's PATH and verifies the installation. Supports both Intel and Apple Silicon Macs.
```bash
# Linux x86_64
curl -L https://github.com/vectordotdev/vector/releases/latest/download/vector-x86_64-unknown-linux-gnu.tar.gz | tar -xz
sudo mv vector-*/bin/vector /usr/local/bin/
# macOS (Intel)
curl -L https://github.com/vectordotdev/vector/releases/latest/download/vector-x86_64-apple-darwin.tar.gz | tar -xz
sudo mv vector-*/bin/vector /usr/local/bin/
# macOS (Apple Silicon)
curl -L https://github.com/vectordotdev/vector/releases/latest/download/vector-aarch64-apple-darwin.tar.gz | tar -xz
sudo mv vector-*/bin/vector /usr/local/bin/
# Verify installation
vector --version
```
--------------------------------
### Install Fluent Bit - Ubuntu/Debian
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx
Installs Fluent Bit on Ubuntu/Debian systems by adding the official repository and then installing the package. Includes verification.
```bash
# Add repository
wget -qO - https://packages.fluentbit.io/fluentbit.key | sudo apt-key add -
echo "deb https://packages.fluentbit.io/ubuntu/focal focal main" | sudo tee /etc/apt/sources.list.d/fluent-bit.list
# Install Fluent Bit
sudo apt update
sudo apt install fluent-bit
# Verify installation
fluent-bit --version
```
--------------------------------
### Install Optional Dependencies for Parsing
Source: https://github.com/runreveal/runreveal-docs/blob/main/scripts/SOURCE-SYNC-README.md
Installs optional development dependencies that enhance the parsing capabilities of the sync scripts. These include `@typescript-eslint/parser` for improved TypeScript parsing and `ajv` for JSON schema validation. The script falls back to regex if these are not installed.
```bash
npm install --save-dev @typescript-eslint/parser ajv
```
--------------------------------
### Detection Query with Time Windowing (SQL)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/detection-as-code/getting-started.mdx
An example SQL query for a RunReveal detection that utilizes time windowing. It uses the `receivedAt` timestamp and the `{from:DateTime}` and `{to:DateTime}` parameters for accurate log analysis, avoiding issues with delayed event times.
```sql
select * from logs
where eventName='example'
and receivedAt BETWEEN {from:DateTime} and {to:DateTime}
```
--------------------------------
### Fluent Bit Tail Input Configuration Example
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx
Example configuration for the Fluent Bit `tail` input plugin. It specifies the file path to monitor, the parser to use for log entries, and options for reading from the head or tail of the file, database for tracking positions, and refresh interval.
```ini
[INPUT]
Name tail
Path /var/log/app/*.log
Tag app_logs
Parser json
Read_from_Head false
DB /var/log/fluent-bit-app.db
Refresh_Interval 5
```
--------------------------------
### Data Ingestion and Verification
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx
Instructions for monitoring and verifying data ingestion from Abnormal Security.
```APIDOC
## Monitor and Verify Data Ingestion
### Description
Verify that Abnormal Security events are being collected by RunReveal.
### Steps
1. After saving the source, wait 5-10 minutes.
2. Navigate to **Logs** in the RunReveal dashboard.
3. Filter by **Source Type**: `rest_api_collector`.
4. Check for the appearance of Abnormal Security events.
### Verified Event Types
- Email Threats
- User Behavior
- Security Incidents
- Threat Intelligence
- Policy Violations
```
--------------------------------
### Install Fluent Bit - Binary
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx
Downloads and installs the latest Fluent Bit binary for Linux and macOS (Intel) systems, placing it in the system's PATH. Includes verification.
```bash
# Download latest binary for Linux
wget https://github.com/fluent/fluent-bit/releases/latest/download/fluent-bit-linux-x86_64.tar.gz
tar -xzf fluent-bit-linux-x86_64.tar.gz
sudo mv fluent-bit/bin/fluent-bit /usr/local/bin/
# macOS (Intel)
wget https://github.com/fluent/fluent-bit/releases/latest/download/fluent-bit-macos-x86_64.tar.gz
tar -xzf fluent-bit-macos-x86_64.tar.gz
sudo mv fluent-bit/bin/fluent-bit /usr/local/bin/
# Verify installation
fluent-bit --version
```
--------------------------------
### Install Vector using Docker
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/vector.mdx
Sets up and runs Vector as a Docker container, mounting a local directory for configuration and the host's log directory. Verifies the container is running.
```bash
# Pull Vector image
docker pull timberio/vector:latest-alpine
# Create config directory
mkdir -p $(pwd)/vector-config
# Run Vector container
docker run -d \
--name vector \
-v $(pwd)/vector-config:/etc/vector \
-v /var/log:/var/log:ro \
timberio/vector:latest-alpine
# Verify container is running
docker ps | grep vector
```
--------------------------------
### Tag Internal Network Traffic
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/logs/log-processing/getting-started.mdx
This example illustrates creating an enrichment named 'network-classification' to tag internal network traffic. It uses the 'src.ip' field to identify internal IPs and adds relevant metadata for downstream processing. The example focuses on the setup steps for creating such an enrichment.
--------------------------------
### Querying Custom Views - SQL Examples
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/logs/custom-views.mdx
Demonstrates basic and security-focused SQL queries for the custom view 'workspace_app_security_analysis'. Includes selecting all records, specific columns, filtering by risk, and identifying failed attempts.
```sql
-- Get all records from the custom view
SELECT * FROM workspace_app_security_analysis LIMIT 10;
-- Get specific columns
SELECT
receivedAt,
user_email,
user_role,
request_ip,
response_status
FROM workspace_app_security_analysis
ORDER BY receivedAt DESC;
```
```sql
-- Find high-risk events
SELECT
receivedAt,
user_email,
user_role,
request_ip,
risk_score,
country
FROM workspace_app_security_analysis
WHERE is_high_risk = true
ORDER BY receivedAt DESC
LIMIT 100;
-- Find failed authentication attempts
SELECT
receivedAt,
user_email,
request_ip,
response_status,
country
FROM workspace_app_security_analysis
WHERE response_status = 401
ORDER BY receivedAt DESC;
-- Find admin users from unusual locations
SELECT
receivedAt,
user_email,
request_ip,
country,
risk_score
FROM workspace_app_security_analysis
WHERE user_role = 'admin'
AND country NOT IN ('US', 'CA', 'GB')
ORDER BY risk_score DESC;
```
--------------------------------
### Start and Test Fluent Bit Configuration
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx
Bash commands to test and run Fluent Bit. The `--dry-run` flag checks the configuration syntax, while running without it starts Fluent Bit in the foreground for monitoring. Output examples show successful startup messages.
```bash
# Make sure you're in the fluent-bit directory
cd fluent-bit
# Test the configuration
fluent-bit -c fluent-bit.conf --dry-run
# Run Fluent Bit in foreground
fluent-bit -c fluent-bit.conf
# You should see output like:
# [info] [output:http:http.0] worker #0 started
# [info] [engine] started (pid=12345)
```
--------------------------------
### Example MDX Documentation Page Structure
Source: https://github.com/runreveal/runreveal-docs/blob/main/scripts/SOURCE-SYNC-README.md
Demonstrates the typical structure of an MDX documentation page generated for a source. These pages are initially templates and should be customized with service-specific details, screenshots, and notes.
```markdown
---
sidebar_label: Okta
---
# Okta
Okta provides identity and access management services.

## Setup
### Ingest Methods
* **Polling**: Set up API credentials in Okta.
* **Webhook**: Configure a webhook in Okta to send events to RunReveal.
## Configuration
### Polling
Follow these steps to configure polling for Okta:
1. Log in to your Okta admin console.
2. Navigate to API settings.
3. Create a new API token.
4. Enter the token and your Okta domain in RunReveal.
### Webhook
To set up webhooks, create an endpoint in RunReveal and configure Okta to send events to that URL.
**SNS Topic ARN (for S3 ingest):**
`arn:aws:sns:us-east-1:123456789012:runreveal-okta-events`
## Details
* **Categories**: `identity`, `saas`
* **Plan**: `ent`
*You should customize this page with service-specific screenshots and exact field names from the Okta UI.*
```
--------------------------------
### Get Alert Details from Notification History (Bash)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/notifications/history-api.mdx
This bash example shows how to get alert details by first listing notification history and then querying logs based on the alert ID. It uses 'curl' and 'jq' to parse the results and construct the log query, requiring token, workspace ID, and handling the response extraction.
```shell
$ TOKEN=""
$ WKSPCID=""
$ RESULT=$(curl -H "Authorization: Basic ${TOKEN}" -H "Content-type: application/json" "https://api.runreveal.com/notification-history/list?workspaceid=${WKSPCID}")
$ ALERTID=$(echo $RESULT | jq -r '.result.[0].alertID')
$ curl -H "Authorization: Basic ${TOKEN}" -H "Content-type: application/json" "https://api.runreveal.com/logs/query/v3?workspaceid=${WKSPCID}" --data-raw "{\"query\": \"SELECT * FROM detections WHERE scheduledRunID == '${ALERTID}'\"}"
```
--------------------------------
### Example Prompt Text with Argument Placeholders
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/custom-prompts.mdx
An example of prompt text demonstrating the use of Handlebars templating to dynamically insert user-provided arguments like 'pattern' and 'logs'.
```text
Please analyze the following logs for the pattern "{{pattern}}":
{{logs}}
Provide a detailed analysis including:
- Pattern matches found
- Frequency of occurrences
- Potential security implications
- Recommended actions
```
--------------------------------
### Query Abnormal Security Logs in RunReveal
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/source-types/abnormal.mdx
This SQL query retrieves the first 10 records from the 'abnormal_logs' table in RunReveal, used to verify successful ingestion of Abnormal Security data.
```sql
SELECT * FROM abnormal_logs LIMIT 10
```
--------------------------------
### Create SQL Detection Configuration File
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/how-to-guides/detections-signals-alerts-quick-start.mdx
Defines a SQL detection's metadata, including its name, description, type (sql), the associated query file, categories, scheduling, severity, and risk score. This YAML file specifies how the detection should behave and be categorized.
```yaml
name: test-suspicious-login
displayName: Test Suspicious Login Detection
description: Detects suspicious login attempts from specific IPs
type: sql
file: test-suspicious-login.sql
categories:
- authentication
- test
sourceTypes:
- structured-webhook
schedule: "*/5 * * * *"
severity: medium
riskScore: 50
```
--------------------------------
### Test Local MCP Token Authentication (Bash)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx
Verifies that your API token is correctly authenticated with the RunReveal MCP server by running a simple query. This is useful for troubleshooting authentication problems.
```bash
runreveal logs query "SELECT 1 LIMIT 1"
```
--------------------------------
### AI Query for MITRE ATT&CK Detections
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/detections/writing-detections.mdx
This bash example demonstrates a natural language query to RunReveal's AI chat for generating detections focused on specific MITRE ATT&CK tactics based on historical log data from a particular source.
```bash
Review logs from my github source for the past day and suggest detections for the most critical MITRE tactics
```
--------------------------------
### Configure Local MCP Server for Claude/Cursor (JSON)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/ai-chat/model-context-protocol.mdx
This JSON configuration is used within Claude or Cursor to set up the local RunReveal MCP server. It specifies the command, arguments, and environment variables required for the connection.
```json
{
"mcpServers": {
"runreveal": {
"command": "runreveal",
"args": ["mcp"],
"env": {
"RUNREVEAL_TOKEN": "your-api-token-here",
"RUNREVEAL_WORKSPACE": "your-workspace-id-here",
"RUNREVEAL_BASEURL": "https://api.runreveal.com"
}
}
}
}
```
--------------------------------
### RunReveal Workspaces CLI Overview
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/reference/using-the-cli.mdx
Provides a general overview of the RunReveal workspaces CLI commands. It outlines the main actions available such as managing users and switching workspaces.
```bash
Usage:
runreveal workspaces [command]
Available Commands:
current Show active workspace
invite-user
list
list-users
remove-user
use Switch to a different workspace
Flags:
-h, --help help for workspaces
Global Flags:
--header-file string File containing headers to be used by the http client
```
--------------------------------
### Docker Compose Example for Reveald (YAML)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/reveald.mdx
This YAML file defines a Docker Compose setup for the Reveald log forwarder. It specifies the image to use, container configuration, volume mounts for configuration and logs, environment variables, and logging driver options.
```yaml
# docker-compose.yml
version: '3.8'
services:
reveald:
image: runreveal/reveald:latest
container_name: reveald
restart: unless-stopped
volumes:
- ./config.json:/config.json:ro
- /var/log:/logs:ro
environment:
- RUNREVEAL_WEBHOOK_URL=${RUNREVEAL_WEBHOOK_URL}
command: run --config /config.json
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
```
--------------------------------
### Install Fluent Bit - Docker
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx
Pulls the latest Fluent Bit Docker image and runs it as a detached container, mounting a local configuration file and log directory. Includes verification.
```bash
# Pull Fluent Bit image
docker pull fluent/fluent-bit:latest
# Run Fluent Bit container
docker run -d \
--name fluent-bit \
-v $(pwd)/fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf \
-v $(pwd)/logs:/logs \
fluent/fluent-bit:latest
# Verify container is running
docker ps | grep fluent-bit
```
--------------------------------
### RRSCH Configuration with Environment Variables
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/bring-your-own-cloud/rrsch.mdx
Example of an RRSCH JSON configuration where sensitive or environment-specific settings, like the PostgreSQL Data Source Name (DSN), are referenced using environment variables. This enhances security and flexibility by allowing configuration to be managed outside the JSON file.
```json
{
"common": {
"pgdsn": "$POSTGRES_DSN"
}
}
```
--------------------------------
### Sync Sources and Generate Documentation Pages
Source: https://github.com/runreveal/runreveal-docs/blob/main/scripts/SOURCE-SYNC-README.md
This command syncs source metadata, updates `data/sources.json` for source cards, and generates MDX documentation pages for sources that lack them. It also updates `_meta.ts` files. Use this command to create both source cards and documentation pages.
```bash
# Generate pages for all missing sources
npm run build-source-pages
# Preview what would be generated (dry run)
npm run sync-sources -- --generate-pages --dry-run --verbose
# List sources missing documentation
npm run sync-sources -- --list-missing
```
--------------------------------
### Create Test JSON Logs
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/fluent-bit.mdx
Creates a directory named 'fluent-bit' and generates a sample 'application.log' file containing multiple JSON-formatted log events. Uses 'jq' to ensure valid JSON output.
```bash
# Create fluent-bit directory for testing
mkdir -p fluent-bit
cd fluent-bit
# Create sample JSON logs (each line is a separate JSON event)
cat > application.log << 'EOF'
{"eventName":"UserLogin","eventTime":"2025-01-15T10:30:00Z","actor":{"email":"admin@example.com","id":"USR001"},"service":{"name":"webapp"},"src":{"ip":"192.168.1.100"}}
{"eventName":"FileAccess","eventTime":"2025-01-15T10:31:00Z","actor":{"email":"user@example.com","id":"USR002"},"service":{"name":"webapp"},"src":{"ip":"192.168.1.101"}}
{"eventName":"DataExport","eventTime":"2025-01-15T10:32:00Z","actor":{"email":"analyst@example.com","id":"USR003"},"service":{"name":"webapp"},"src":{"ip":"192.168.1.102"}}
EOF
# Verify logs were created
echo "Test logs created:"
cat application.log | jq -c '.'
```
--------------------------------
### Systemd Service Management Commands (Bash)
Source: https://github.com/runreveal/runreveal-docs/blob/main/pages/sources/forwarders/reveald.mdx
These bash commands are used to set up and manage the Reveald systemd service. They cover user creation, directory setup, configuration file copying, service enablement, starting, and status checking, including log monitoring via journalctl.
```bash
# Create user and directories
sudo useradd -r -s /bin/false reveald
sudo mkdir -p /etc/reveald
sudo chown reveald:reveald /etc/reveald
# Copy configuration
sudo cp config.json /etc/reveald/
sudo chown reveald:reveald /etc/reveald/config.json
# Enable and start service
sudo systemctl daemon-reload
sudo systemctl enable reveald
sudo systemctl start reveald
# Check status
sudo systemctl status reveald
sudo journalctl -u reveald -f
```