fever-run(1)
fever-run - start FEVER service
Description
FEVER-RUN
NAME
fever-run - start FEVER service
SYNOPSIS
fever run [flags]
DESCRIPTION
The ’run’ command starts the FEVER service, consuming events from the input and executing all processing components.
OPTIONS
|
--active-rdns[=false] |
enable active rDNS enrichment for src/dst IPs | |
|
--active-rdns-cache-expiry=2m0s |
cache expiry interval for rDNS lookups | |
|
--active-rdns-private-only[=false] |
only do active rDNS enrichment for RFC1918 IPs | |
|
--bloom-alert-prefix="BLF" |
String prefix for Bloom filter alerts | |
|
--bloom-blacklist-iocs=[/,/index.htm,/index.html] |
Blacklisted strings in Bloom filter (will cause filter to be rejected) | |
|
-b, --bloom-file="" |
Bloom filter for external indicator screening | |
|
-z, --bloom-zipped[=false] |
use gzipped Bloom filter file | |
|
-c, --chunksize=50000 |
chunk size for batched event handling (e.g. inserts) | |
|
--context-cache-timeout=1h0m0s |
time for flow metadata to be kept for uncompleted flows | |
|
--context-enable[=false] |
collect and forward flow context for alerted flows | |
|
--context-submission-exchange="context" |
Exchange to which flow context events will be submitted | |
|
--context-submission-url="amqp://guest:guest@localhost:5672/" |
URL to which flow context will be submitted | |
|
-d, --db-database="events" |
database DB | |
|
--db-enable[=false] |
write events to database | |
|
-s, --db-host="localhost:5432" |
database host | |
|
--db-maxtablesize=500 |
Maximum allowed cumulative table size in GB | |
|
-m, --db-mongo[=false] |
use MongoDB | |
|
-p, --db-password="sensor" |
database password | |
|
--db-rotate=1h0m0s |
time interval for database table rotations | |
|
-u, --db-user="sensor" |
database user | |
|
--dummy[=false] |
log locally instead of sending home | |
|
--flowextract-bloom-selector="" |
IP address Bloom filter to select flows to extract | |
|
--flowextract-enable[=false] |
extract and forward flow metadata | |
|
--flowextract-submission-exchange="flows" |
Exchange to which raw flow events will be submitted | |
|
--flowextract-submission-url="amqp://guest:guest@localhost:5672/" |
URL to which raw flow events will be submitted | |
|
-n, --flowreport-interval=0s |
time interval for report submissions | |
|
--flowreport-nocompress[=false] |
send uncompressed flow reports (default is gzip) | |
|
--flowreport-submission-exchange="aggregations" |
Exchange to which flow reports will be submitted | |
|
--flowreport-submission-url="amqp://guest:guest@localhost:5672/" |
URL to which flow reports will be submitted | |
|
--flushcount=100000 |
maximum number of events in one batch (e.g. for flow extraction) | |
|
-f, --flushtime=1m0s |
time interval for event aggregation | |
|
-T, --fwd-all-types[=false] |
forward all event types | |
|
-t, --fwd-event-types=[alert,stats] |
event types to forward to socket | |
|
--heartbeat-enable[=false] |
Forward HTTP heartbeat event | |
|
--heartbeat-times=[] |
Times of day to send heartbeat (list of 24h HH:MM strings) | |
|
-h, --help[=false] |
help for run | |
|
--in-buffer-drop[=true] |
drop incoming events on FEVER side instead of blocking the input socket | |
|
--in-buffer-length=500000 |
input buffer length (counted in EVE objects) | |
|
-r, --in-redis="" |
Redis input server (assumes "suricata" list key, no pwd) | |
|
--in-redis-nopipe[=false] |
do not use Redis pipelining | |
|
-i, --in-socket="/tmp/suri.sock" |
filename of input socket (accepts EVE JSON) | |
|
--ip-alert-prefix="IP-BLACKLIST" |
String prefix for IP blacklist alerts | |
|
--ip-blacklist="" |
List with IP ranges to alert on | |
|
--logfile="" |
Path to log file | |
|
--logjson[=false] |
Output logs in JSON format | |
|
--metrics-enable[=false] |
submit performance metrics to central sink | |
|
--metrics-submission-exchange="metrics" |
Exchange to which metrics will be submitted | |
|
--metrics-submission-url="amqp://guest:guest@localhost:5672/" |
URL to which metrics will be submitted | |
|
-o, --out-socket="/tmp/suri-forward.sock" |
path to output socket (to forwarder), empty string disables forwarding | |
|
--pdns-enable[=false] |
collect and forward aggregated passive DNS data | |
|
--pdns-submission-exchange="pdns" |
Exchange to which passive DNS events will be submitted | |
|
--pdns-submission-url="amqp://guest:guest@localhost:5672/" |
URL to which passive DNS events will be submitted | |
|
--profile="" |
enable runtime profiling to given file | |
|
--reconnect-retries=0 |
number of retries connecting to socket or sink, 0 = no retry limit | |
|
--toolname="fever" |
set toolname | |
|
-v, --verbose[=false] |
enable verbose logging (debug log level) |
OPTIONS INHERITED FROM PARENT COMMANDS
|
--config="" |
config file (default is $HOME/.fever.yaml) | |
|
--mgmt-host="" |
hostname:port definition for management server | |
|
--mgmt-network="tcp" |
network (tcp/udp) definition for management server | |
|
--mgmt-socket="/tmp/fever-mgmt.sock" |
Socket path for management server |
SEE ALSO
fever(1)