.nh .TH "FEVER-RUN" "1" "Apr 2023" "FEVER" "" .SH NAME .PP fever-run - start FEVER service .SH SYNOPSIS .PP \fBfever run [flags]\fP .SH DESCRIPTION .PP The 'run' command starts the FEVER service, consuming events from the input and executing all processing components. .SH OPTIONS .PP \fB--active-rdns\fP[=false] enable active rDNS enrichment for src/dst IPs .PP \fB--active-rdns-cache-expiry\fP=2m0s cache expiry interval for rDNS lookups .PP \fB--active-rdns-private-only\fP[=false] only do active rDNS enrichment for RFC1918 IPs .PP \fB--bloom-alert-prefix\fP="BLF" String prefix for Bloom filter alerts .PP \fB--bloom-blacklist-iocs\fP=[/,/index.htm,/index.html] Blacklisted strings in Bloom filter (will cause filter to be rejected) .PP \fB-b\fP, \fB--bloom-file\fP="" Bloom filter for external indicator screening .PP \fB-z\fP, \fB--bloom-zipped\fP[=false] use gzipped Bloom filter file .PP \fB-c\fP, \fB--chunksize\fP=50000 chunk size for batched event handling (e.g. inserts) .PP \fB--context-cache-timeout\fP=1h0m0s time for flow metadata to be kept for uncompleted flows .PP \fB--context-enable\fP[=false] collect and forward flow context for alerted flows .PP \fB--context-submission-exchange\fP="context" Exchange to which flow context events will be submitted .PP \fB--context-submission-url\fP="amqp://guest:guest@localhost:5672/" URL to which flow context will be submitted .PP \fB-d\fP, \fB--db-database\fP="events" database DB .PP \fB--db-enable\fP[=false] write events to database .PP \fB-s\fP, \fB--db-host\fP="localhost:5432" database host .PP \fB--db-maxtablesize\fP=500 Maximum allowed cumulative table size in GB .PP \fB-m\fP, \fB--db-mongo\fP[=false] use MongoDB .PP \fB-p\fP, \fB--db-password\fP="sensor" database password .PP \fB--db-rotate\fP=1h0m0s time interval for database table rotations .PP \fB-u\fP, \fB--db-user\fP="sensor" database user .PP \fB--dummy\fP[=false] log locally instead of sending home .PP \fB--flowextract-bloom-selector\fP="" IP address Bloom filter to select flows to extract .PP \fB--flowextract-enable\fP[=false] extract and forward flow metadata .PP \fB--flowextract-submission-exchange\fP="flows" Exchange to which raw flow events will be submitted .PP \fB--flowextract-submission-url\fP="amqp://guest:guest@localhost:5672/" URL to which raw flow events will be submitted .PP \fB-n\fP, \fB--flowreport-interval\fP=0s time interval for report submissions .PP \fB--flowreport-nocompress\fP[=false] send uncompressed flow reports (default is gzip) .PP \fB--flowreport-submission-exchange\fP="aggregations" Exchange to which flow reports will be submitted .PP \fB--flowreport-submission-url\fP="amqp://guest:guest@localhost:5672/" URL to which flow reports will be submitted .PP \fB--flushcount\fP=100000 maximum number of events in one batch (e.g. for flow extraction) .PP \fB-f\fP, \fB--flushtime\fP=1m0s time interval for event aggregation .PP \fB-T\fP, \fB--fwd-all-types\fP[=false] forward all event types .PP \fB-t\fP, \fB--fwd-event-types\fP=[alert,stats] event types to forward to socket .PP \fB--heartbeat-enable\fP[=false] Forward HTTP heartbeat event .PP \fB--heartbeat-times\fP=[] Times of day to send heartbeat (list of 24h HH:MM strings) .PP \fB-h\fP, \fB--help\fP[=false] help for run .PP \fB--in-buffer-drop\fP[=true] drop incoming events on FEVER side instead of blocking the input socket .PP \fB--in-buffer-length\fP=500000 input buffer length (counted in EVE objects) .PP \fB-r\fP, \fB--in-redis\fP="" Redis input server (assumes "suricata" list key, no pwd) .PP \fB--in-redis-nopipe\fP[=false] do not use Redis pipelining .PP \fB-i\fP, \fB--in-socket\fP="/tmp/suri.sock" filename of input socket (accepts EVE JSON) .PP \fB--ip-alert-prefix\fP="IP-BLACKLIST" String prefix for IP blacklist alerts .PP \fB--ip-blacklist\fP="" List with IP ranges to alert on .PP \fB--logfile\fP="" Path to log file .PP \fB--logjson\fP[=false] Output logs in JSON format .PP \fB--metrics-enable\fP[=false] submit performance metrics to central sink .PP \fB--metrics-submission-exchange\fP="metrics" Exchange to which metrics will be submitted .PP \fB--metrics-submission-url\fP="amqp://guest:guest@localhost:5672/" URL to which metrics will be submitted .PP \fB-o\fP, \fB--out-socket\fP="/tmp/suri-forward.sock" path to output socket (to forwarder), empty string disables forwarding .PP \fB--pdns-enable\fP[=false] collect and forward aggregated passive DNS data .PP \fB--pdns-submission-exchange\fP="pdns" Exchange to which passive DNS events will be submitted .PP \fB--pdns-submission-url\fP="amqp://guest:guest@localhost:5672/" URL to which passive DNS events will be submitted .PP \fB--profile\fP="" enable runtime profiling to given file .PP \fB--reconnect-retries\fP=0 number of retries connecting to socket or sink, 0 = no retry limit .PP \fB--toolname\fP="fever" set toolname .PP \fB-v\fP, \fB--verbose\fP[=false] enable verbose logging (debug log level) .SH OPTIONS INHERITED FROM PARENT COMMANDS .PP \fB--config\fP="" config file (default is $HOME/.fever.yaml) .PP \fB--mgmt-host\fP="" hostname:port definition for management server .PP \fB--mgmt-network\fP="tcp" network (tcp/udp) definition for management server .PP \fB--mgmt-socket\fP="/tmp/fever-mgmt.sock" Socket path for management server .SH SEE ALSO .PP \fBfever(1)\fP