Getting Started¶

This guide gets Rustinel to first telemetry and first alert on both supported platforms.

Minimum Requirements¶

Windows¶

• Windows 10/11 or Server 2016+
• Administrator privileges
• Rust 1.92+ and Visual Studio Build Tools if building from source

Linux¶

• Linux kernel 5.8+ with BTF
• Root, or eBPF capabilities such as CAP_BPF or CAP_SYS_ADMIN
• tracefs available at /sys/kernel/tracing and debugfs available at /sys/kernel/debug
• Rust 1.92+ if building from source
• If ebpf/rustinel-ebpf.o is missing, nightly Rust, rust-src, and bpf-linker are also required for the first build

Quick Start¶

Download the package for your platform from GitHub Releases. The release archives already include config.toml, the bundled demo rules, and an empty logs/ directory.

Windows¶

1. Download rustinel-<version>-x86_64-pc-windows-msvc.zip.
2. Extract it.
3. Open an elevated PowerShell in the extracted directory.
4. Run .\rustinel.exe run --console.

Linux¶

Choose the archive that matches your target system:

• rustinel-<version>-x86_64-unknown-linux-musl.tar.gz
• rustinel-<version>-aarch64-unknown-linux-musl.tar.gz

Then extract and run it:

tar xzf rustinel-<version>-x86_64-unknown-linux-musl.tar.gz
cd rustinel-<version>-x86_64-unknown-linux-musl
sudo ./rustinel run

If startup fails with tracefs not found, mount the tracing filesystems and retry:

mount -t tracefs tracefs /sys/kernel/tracing
mount -t debugfs debugfs /sys/kernel/debug

Some minimal Linux environments, including some WSL 2 distros, may start without these filesystems mounted.

Compile From Source¶

Use this path if you want to build the binary yourself instead of using a published release.

Windows¶

git clone https://github.com/Karib0u/rustinel.git
cd rustinel
cargo build --release
.\target\release\rustinel.exe run --console

Linux¶

git clone https://github.com/Karib0u/rustinel.git
cd rustinel
cargo build --release
sudo ./target/release/rustinel run

Notes:

• Running rustinel with no subcommand is equivalent to rustinel run.
• On Linux, build.rs embeds ebpf/rustinel-ebpf.o when it already exists. If it does not exist, the build falls back to compiling the eBPF crate with nightly Rust.
• If startup fails with tracefs not found, mount the tracing filesystems and retry:

mount -t tracefs tracefs /sys/kernel/tracing
mount -t debugfs debugfs /sys/kernel/debug

Some minimal Linux environments, including some WSL 2 distros, may start without these filesystems mounted.

Verify First Alert¶

Windows Sigma Demo¶

1. Keep Rustinel running.
2. Execute:

whoami /all

1. Confirm an alert was written to logs\alerts.json.<date>.

The bundled rule is rules/sigma/windows_whoami.yml.

Linux Sigma Demo¶

1. Keep Rustinel running.
2. Execute:

whoami

1. Confirm an alert was written to logs/alerts.json.<date>.

The bundled rule is rules/sigma/linux_whoami.yml.

Cross-Platform YARA Demo¶

1. Keep Rustinel running.
2. Build the demo binary:

rustc ./examples/yara_demo.rs -o ./examples/yara_demo

On Windows:

rustc .\examples\yara_demo.rs -o .\examples\yara_demo.exe

1. Run the demo binary.
2. Confirm an alert references ExampleMarkerString in logs/alerts.json.<date>.

Verify Hot Reload¶

1. Keep Rustinel running.
2. Edit a Sigma, YARA, or IOC file.
3. Wait a few seconds.
4. Confirm the operational log reports a reload event.

Example on Windows:

Add-Content rules\sigma\windows_whoami.yml "`n# hot reload smoke test"

Example on Linux:

printf '\n# hot reload smoke test\n' >> rules/sigma/linux_whoami.yml

Next Steps¶

• Use Configuration to move rule paths, logs, and allowlists out of the default repo layout.
• Use Operations and Upgrade Guide for installation layout and update workflows.
• Use CLI Reference for service commands and runtime examples.