Installation🔗

RSigma ships as a single self-contained binary on every supported platform. Pick the install method that matches your environment.

Requirements🔗

An x86_64 or arm64 host running Linux, macOS, or Windows.
Disk space: the binary is roughly 25 MB depending on enabled features.
No runtime dependencies: RSigma is statically linked except for the system libc.
For the daemon, an inbound port for the management/metrics API (default 0.0.0.0:9090).
For building from source: Rust 1.88.0 or newer (2024 edition).

With Cargo🔗

The recommended path for Rust users. Installs the latest released 0.12.0 build with default features (daemon enabled, NATS and OTLP off):

cargo install --locked rsigma

Add optional features as needed:

# Streaming over NATS JetStream
cargo install --locked rsigma --features daemon-nats

# OTLP HTTP + gRPC ingestion
cargo install --locked rsigma --features daemon-otlp

# Windows Event Log (.evtx) input
cargo install --locked rsigma --features evtx

# Cross-rule Aho-Corasick prefilter for large rule sets
cargo install --locked rsigma --features daachorse-index

# Everything at once
cargo install --locked rsigma --features daemon-nats,daemon-otlp,logfmt,cef,evtx,daachorse-index

The --locked flag pins the dependency graph to the published Cargo.lock, which is what CI builds and signs. The LSP server ships in its own crate:

cargo install --locked rsigma-lsp

Docker🔗

Multi-arch images (linux/amd64, linux/arm64) are published to GitHub Container Registry on every release. Tags include the version (0.12.0), latest, and per-commit SHAs.

docker pull ghcr.io/timescale/rsigma:latest
docker run --rm ghcr.io/timescale/rsigma:latest --help

Run with full runtime hardening for production:

docker run --rm \
  --read-only \
  --cap-drop=ALL \
  --security-opt=no-new-privileges:true \
  -v /path/to/rules:/rules:ro \
  ghcr.io/timescale/rsigma:latest rule validate /rules/

The image is signed with Sigstore keyless cosign and ships with an SBOM and SLSA Build L3 provenance attestation. Verify before deploying:

cosign verify \
  --certificate-identity-regexp 'github.com/timescale/rsigma' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  ghcr.io/timescale/rsigma:latest

See the Docker deployment guide for compose files, hardened systemd units, and Kubernetes-style runtime flags.

Prebuilt binaries🔗

Cross-platform release archives are attached to every GitHub release. Targets:

Platform	Archive
Linux x86_64 (glibc)	`rsigma-x86_64-unknown-linux-gnu.tar.gz`
Linux arm64 (glibc)	`rsigma-aarch64-unknown-linux-gnu.tar.gz`
macOS x86_64	`rsigma-x86_64-apple-darwin.tar.gz`
macOS arm64	`rsigma-aarch64-apple-darwin.tar.gz`
Windows x86_64	`rsigma-x86_64-pc-windows-msvc.zip`
Windows arm64	`rsigma-aarch64-pc-windows-msvc.zip`

Every archive ships with a SLSA build provenance attestation generated by actions/attest-build-provenance. Verify with the GitHub CLI:

gh attestation verify rsigma-x86_64-unknown-linux-gnu.tar.gz --repo timescale/rsigma

Cosign keyless signatures live on the GHCR Docker image (see Docker deployment); archives use SLSA attestations instead.

# Linux/macOS, swap the URL for your target
curl -fsSL -o rsigma.tar.gz \
  https://github.com/timescale/rsigma/releases/download/v0.12.0/rsigma-x86_64-unknown-linux-gnu.tar.gz
tar -xzf rsigma.tar.gz
sudo install -m 0755 rsigma /usr/local/bin/rsigma
rsigma --version

Build from source🔗

For development, custom feature flags, or platforms not covered by prebuilt archives.

git clone https://github.com/timescale/rsigma.git
cd rsigma
cargo build --release --all-features --workspace
./target/release/rsigma --help

A workspace build produces every binary: the CLI (target/release/rsigma) and the LSP server (target/release/rsigma-lsp). See the contributing guide for the full developer workflow.

Verify the install🔗

rsigma --version
rsigma --help

You should see rsigma 0.12.0 and a list of the top-level command groups (engine, rule, backend, pipeline).

Next steps🔗

Run your first rule in the quick start.
Learn the core concepts of Sigma rules, modes, and pipelines.
Browse the full CLI reference once you are ready to dig in.

Platform notes🔗

Linux: archives are glibc-linked and target Ubuntu 22.04's glibc baseline. They run on any distribution with a comparable or newer glibc. For Alpine or other musl-only environments, prefer the GHCR Docker image, build from source with cargo build --target x86_64-unknown-linux-musl, or open an issue if you need official musl binaries.
macOS: the aarch64-apple-darwin archive targets Apple Silicon (M1+). On older Intel Macs use the x86_64 archive.
Windows: the daemon's NATS and OTLP features rely on tokio and tonic and are fully supported on Windows. File watching for hot-reload uses the native ReadDirectoryChangesW API.
Alpine/scratch containers: prefer the GHCR image, which is built on a minimal glibc base and is fully self-contained.