Provided by: fever_1.3.3-1ubuntu0.3_amd64 
NAME
fever-run - start FEVER service
SYNOPSIS
fever run [flags]
DESCRIPTION
The 'run' command starts the FEVER service, consuming events from the input and executing
all processing components.
OPTIONS
--active-rdns[=false] enable active rDNS enrichment for src/dst IPs
--active-rdns-cache-expiry=2m0s cache expiry interval for rDNS lookups
--active-rdns-private-only[=false] only do active rDNS enrichment for RFC1918 IPs
--bloom-alert-prefix="BLF" String prefix for Bloom filter alerts
--bloom-blacklist-iocs=[/,/index.htm,/index.html] Blacklisted strings in Bloom filter
(will cause filter to be rejected)
-b, --bloom-file="" Bloom filter for external indicator screening
-z, --bloom-zipped[=false] use gzipped Bloom filter file
-c, --chunksize=50000 chunk size for batched event handling (e.g. inserts)
--context-cache-timeout=1h0m0s time for flow metadata to be kept for uncompleted
flows
--context-enable[=false] collect and forward flow context for alerted flows
--context-submission-exchange="context" Exchange to which flow context events will be
submitted
--context-submission-url="amqp://guest:guest@localhost:5672/" URL to which flow
context will be submitted
-d, --db-database="events" database DB
--db-enable[=false] write events to database
-s, --db-host="localhost:5432" database host
--db-maxtablesize=500 Maximum allowed cumulative table size in GB
-m, --db-mongo[=false] use MongoDB
-p, --db-password="sensor" database password
--db-rotate=1h0m0s time interval for database table rotations
-u, --db-user="sensor" database user
--dummy[=false] log locally instead of sending home
--flowextract-bloom-selector="" IP address Bloom filter to select flows to extract
--flowextract-enable[=false] extract and forward flow metadata
--flowextract-submission-exchange="flows" Exchange to which raw flow events will be
submitted
--flowextract-submission-url="amqp://guest:guest@localhost:5672/" URL to which raw
flow events will be submitted
-n, --flowreport-interval=0s time interval for report submissions
--flowreport-nocompress[=false] send uncompressed flow reports (default is gzip)
--flowreport-submission-exchange="aggregations" Exchange to which flow reports will
be submitted
--flowreport-submission-url="amqp://guest:guest@localhost:5672/" URL to which flow
reports will be submitted
--flushcount=100000 maximum number of events in one batch (e.g. for flow extraction)
-f, --flushtime=1m0s time interval for event aggregation
-T, --fwd-all-types[=false] forward all event types
-t, --fwd-event-types=[alert,stats] event types to forward to socket
--heartbeat-enable[=false] Forward HTTP heartbeat event
--heartbeat-times=[] Times of day to send heartbeat (list of 24h HH:MM strings)
-h, --help[=false] help for run
--in-buffer-drop[=true] drop incoming events on FEVER side instead of blocking the
input socket
--in-buffer-length=500000 input buffer length (counted in EVE objects)
-r, --in-redis="" Redis input server (assumes "suricata" list key, no pwd)
--in-redis-nopipe[=false] do not use Redis pipelining
-i, --in-socket="/tmp/suri.sock" filename of input socket (accepts EVE JSON)
--ip-alert-prefix="IP-BLACKLIST" String prefix for IP blacklist alerts
--ip-blacklist="" List with IP ranges to alert on
--logfile="" Path to log file
--logjson[=false] Output logs in JSON format
--metrics-enable[=false] submit performance metrics to central sink
--metrics-submission-exchange="metrics" Exchange to which metrics will be submitted
--metrics-submission-url="amqp://guest:guest@localhost:5672/" URL to which metrics
will be submitted
-o, --out-socket="/tmp/suri-forward.sock" path to output socket (to forwarder), empty
string disables forwarding
--pdns-enable[=false] collect and forward aggregated passive DNS data
--pdns-submission-exchange="pdns" Exchange to which passive DNS events will be
submitted
--pdns-submission-url="amqp://guest:guest@localhost:5672/" URL to which passive DNS
events will be submitted
--profile="" enable runtime profiling to given file
--reconnect-retries=0 number of retries connecting to socket or sink, 0 = no retry
limit
--stenosis-cache-expiry=30m0s alert cache expiry timeout
--stenosis-client-chain-file="stenosis.crt" certificate file for Stenosis TLS
connection
--stenosis-client-key-file="stenosis.key" key file for Stenosis TLS connection
--stenosis-enable[=false] notify Stenosis instance on alert
--stenosis-interface="*" interface to watch events for
--stenosis-root-cas=[root.crt] root certificate(s) for TLS connection to stenosis
--stenosis-skipverify[=false] skip TLS certificate verification
--stenosis-submission-timeout=5s timeout for connecting to Stenosis
--stenosis-submission-url="http://localhost:19205" URL to which Stenosis requests
will be submitted
--stenosis-tls[=false] use TLS for Stenosis
--toolname="fever" set toolname
-v, --verbose[=false] enable verbose logging (debug log level)
OPTIONS INHERITED FROM PARENT COMMANDS
--config="" config file (default is $HOME/.fever.yaml)
--mgmt-host="" hostname:port definition for management server
--mgmt-network="tcp" network (tcp/udp) definition for management server
--mgmt-socket="/tmp/fever-mgmt.sock" Socket path for management server
SEE ALSO
fever(1)