Environment Variables🔗
rsigma reads two parallel families of environment variables in addition to its CLI flags:
- Legacy single-underscore names bound to specific clap flags (
NATS_CREDS,RSIGMA_CONSUMER_GROUP,RSIGMA_TLS_KEY_PASSWORD, …). These are how secrets stay out of process tables and shell history. - Uniform
RSIGMA_<SECTION>__<KEY>names that mirror every non-secret config-file key, using__as the nesting separator. See Configuration for the full scheme and examples.
Every variable here has a corresponding --flag that takes precedence.
Variables🔗
| Variable | Type | Default | Subcommand(s) | Effect |
|---|---|---|---|---|
RUST_LOG | tracing-subscriber filter directive | info | All (always for engine daemon; otherwise only when --log-format is set) | Controls verbosity of structured diagnostic logs on stderr. See Observability for the target catalog. |
NO_COLOR | 0/1 (presence-only) | unset | All subcommands that emit colored stdout/stderr | Disables ANSI colors when --color auto. Follows the NO_COLOR convention. |
RSIGMA_GLOBAL__OUTPUT_FORMAT | json/ndjson/table/csv/tsv | unset | All | Default value for --output-format. See Output Formats. |
RSIGMA_GLOBAL__COLOR | auto/always/never | unset | All | Default value for --color. |
XDG_CONFIG_HOME | path | ~/.config | All | Honoured when locating the user config ($XDG_CONFIG_HOME/rsigma/config.yaml). See Configuration discovery. |
RSIGMA_<SECTION>__<KEY> | YAML scalar | unset | engine daemon, engine eval | Uniform env layer for non-secret config keys (e.g. RSIGMA_DAEMON__API__ADDR, RSIGMA_GLOBAL__LOG_FORMAT). See Configuration: environment layer. |
RSIGMA_CONSUMER_GROUP | string | unset | engine daemon with --input nats:// | NATS JetStream consumer group name. Equivalent to --consumer-group. Multiple daemons sharing the same group name load-balance across a single durable pull consumer. |
RSIGMA_TLS_KEY_PASSWORD | string | unset | engine daemon with --tls-key | Password for an encrypted TLS key. Currently rejected at startup; reserved for a future release. |
NATS_CREDS | path to .creds file | unset | engine daemon with NATS source or sink | NATS credentials file (JWT + NKey). Equivalent to --nats-creds. |
NATS_TOKEN | string | unset | same | NATS authentication token. Equivalent to --nats-token. |
NATS_USER | string | unset | same | NATS username (requires NATS_PASSWORD). Equivalent to --nats-user. |
NATS_PASSWORD | string | unset | same | NATS password (requires NATS_USER). Equivalent to --nats-password. |
NATS_NKEY | NKey seed | unset | same | NATS NKey seed authentication. Equivalent to --nats-nkey. |
The five NATS auth variables are mutually exclusive. The first configured method wins, in the order listed in --nats-* flag definition. See NATS Streaming: authentication.
Precedence🔗
CLI flags always take precedence. Concretely:
NATS_TOKEN=foo rsigma engine daemon -r rules/ \
--input "nats://nats.internal:4222/events.>" \
--nats-token bar
uses bar, not foo. The env var is convenient for not putting the token in ps aux or shell history; the flag is the override.
Variables NOT read by rsigma🔗
Common variables that rsigma does NOT consume, in case operators are wondering why setting them has no effect:
SIGMA_RULES_DIR,RSIGMA_RULES: not implemented. Use--ruleson the command line ordaemon.rules/eval.rulesin a config file (or set the correspondingRSIGMA_DAEMON__RULES/RSIGMA_EVAL__RULES).OTEL_EXPORTER_OTLP_*: rsigma is an OTLP receiver, not an exporter. These env vars apply to the agent publishing logs into rsigma (see OTLP Integration), not to rsigma itself.PROMETHEUS_*: the daemon exposes/metricson--api-addr; no client-side env vars are involved.
See also🔗
- NATS Streaming: authentication for the auth-method semantics and TLS flags.
- Observability for the canonical
RUST_LOGtarget list and useful filter recipes. engine daemonCLI reference for the matching--flagversions of every variable.