lunar (1) fever-run.1.gz

Provided by: fever_1.3.5-1_amd64 bug

NAME

       fever-run - start FEVER service

SYNOPSIS

       fever run [flags]

DESCRIPTION

       The  'run' command starts the FEVER service, consuming events from the input and executing
       all processing components.

OPTIONS

       --active-rdns[=false]      enable active rDNS enrichment for src/dst IPs

       --active-rdns-cache-expiry=2m0s      cache expiry interval for rDNS lookups

       --active-rdns-private-only[=false]      only do active rDNS enrichment for RFC1918 IPs

       --bloom-alert-prefix="BLF"      String prefix for Bloom filter alerts

       --bloom-blacklist-iocs=[/,/index.htm,/index.html]      Blacklisted strings in Bloom filter
       (will cause filter to be rejected)

       -b, --bloom-file=""      Bloom filter for external indicator screening

       -z, --bloom-zipped[=false]      use gzipped Bloom filter file

       -c, --chunksize=50000      chunk size for batched event handling (e.g. inserts)

       --context-cache-timeout=1h0m0s       time  for  flow  metadata  to be kept for uncompleted
       flows

       --context-enable[=false]      collect and forward flow context for alerted flows

       --context-submission-exchange="context"      Exchange to which flow context events will be
       submitted

       --context-submission-url="amqp://guest:guest@localhost:5672/"        URL   to  which  flow
       context will be submitted

       -d, --db-database="events"      database DB

       --db-enable[=false]      write events to database

       -s, --db-host="localhost:5432"      database host

       --db-maxtablesize=500      Maximum allowed cumulative table size in GB

       -m, --db-mongo[=false]      use MongoDB

       -p, --db-password="sensor"      database password

       --db-rotate=1h0m0s      time interval for database table rotations

       -u, --db-user="sensor"      database user

       --dummy[=false]      log locally instead of sending home

       --flowextract-bloom-selector=""      IP address Bloom filter to select flows to extract

       --flowextract-enable[=false]      extract and forward flow metadata

       --flowextract-submission-exchange="flows"      Exchange to which raw flow events  will  be
       submitted

       --flowextract-submission-url="amqp://guest:guest@localhost:5672/"       URL  to  which raw
       flow events will be submitted

       -n, --flowreport-interval=0s      time interval for report submissions

       --flowreport-nocompress[=false]      send uncompressed flow reports (default is gzip)

       --flowreport-submission-exchange="aggregations"      Exchange to which flow  reports  will
       be submitted

       --flowreport-submission-url="amqp://guest:guest@localhost:5672/"       URL  to  which flow
       reports will be submitted

       --flushcount=100000      maximum number of events in one batch (e.g. for flow extraction)

       -f, --flushtime=1m0s      time interval for event aggregation

       -T, --fwd-all-types[=false]      forward all event types

       -t, --fwd-event-types=[alert,stats]      event types to forward to socket

       --heartbeat-enable[=false]      Forward HTTP heartbeat event

       --heartbeat-times=[]      Times of day to send heartbeat (list of 24h HH:MM strings)

       -h, --help[=false]      help for run

       --in-buffer-drop[=true]      drop incoming events on FEVER side instead  of  blocking  the
       input socket

       --in-buffer-length=500000      input buffer length (counted in EVE objects)

       -r, --in-redis=""      Redis input server (assumes "suricata" list key, no pwd)

       --in-redis-nopipe[=false]      do not use Redis pipelining

       -i, --in-socket="/tmp/suri.sock"      filename of input socket (accepts EVE JSON)

       --ip-alert-prefix="IP-BLACKLIST"      String prefix for IP blacklist alerts

       --ip-blacklist=""      List with IP ranges to alert on

       --logfile=""      Path to log file

       --logjson[=false]      Output logs in JSON format

       --metrics-enable[=false]      submit performance metrics to central sink

       --metrics-submission-exchange="metrics"      Exchange to which metrics will be submitted

       --metrics-submission-url="amqp://guest:guest@localhost:5672/"       URL  to  which metrics
       will be submitted

       -o, --out-socket="/tmp/suri-forward.sock"      path to output socket (to forwarder), empty
       string disables forwarding

       --pdns-enable[=false]      collect and forward aggregated passive DNS data

       --pdns-submission-exchange="pdns"       Exchange  to  which  passive  DNS  events  will be
       submitted

       --pdns-submission-url="amqp://guest:guest@localhost:5672/"      URL to which  passive  DNS
       events will be submitted

       --profile=""      enable runtime profiling to given file

       --reconnect-retries=0       number  of  retries connecting to socket or sink, 0 = no retry
       limit

       --toolname="fever"      set toolname

       -v, --verbose[=false]      enable verbose logging (debug log level)

OPTIONS INHERITED FROM PARENT COMMANDS

       --config=""      config file (default is $HOME/.fever.yaml)

       --mgmt-host=""      hostname:port definition for management server

       --mgmt-network="tcp"      network (tcp/udp) definition for management server

       --mgmt-socket="/tmp/fever-mgmt.sock"      Socket path for management server

SEE ALSO

       fever(1)