Provided by: fever_1.3.5-1ubuntu0.24.04.3_amd64 bug

NAME
       fever-run - start FEVER service


SYNOPSIS
       fever run [flags]


DESCRIPTION
       The  'run' command starts the FEVER service, consuming events from the input and executing all processing
       components.


OPTIONS
       --active-rdns[=false]      enable active rDNS enrichment for src/dst IPs

       --active-rdns-cache-expiry=2m0s      cache expiry interval for rDNS lookups

       --active-rdns-private-only[=false]      only do active rDNS enrichment for RFC1918 IPs

       --bloom-alert-prefix="BLF"      String prefix for Bloom filter alerts

       --bloom-blacklist-iocs=[/,/index.htm,/index.html]      Blacklisted strings in Bloom  filter  (will  cause
       filter to be rejected)

       -b, --bloom-file=""      Bloom filter for external indicator screening

       -z, --bloom-zipped[=false]      use gzipped Bloom filter file

       -c, --chunksize=50000      chunk size for batched event handling (e.g. inserts)

       --context-cache-timeout=1h0m0s      time for flow metadata to be kept for uncompleted flows

       --context-enable[=false]      collect and forward flow context for alerted flows

       --context-submission-exchange="context"      Exchange to which flow context events will be submitted

       --context-submission-url="amqp://guest:guest@localhost:5672/"       URL  to  which  flow  context will be
       submitted

       -d, --db-database="events"      database DB

       --db-enable[=false]      write events to database

       -s, --db-host="localhost:5432"      database host

       --db-maxtablesize=500      Maximum allowed cumulative table size in GB

       -m, --db-mongo[=false]      use MongoDB

       -p, --db-password="sensor"      database password

       --db-rotate=1h0m0s      time interval for database table rotations

       -u, --db-user="sensor"      database user

       --dummy[=false]      log locally instead of sending home

       --flowextract-bloom-selector=""      IP address Bloom filter to select flows to extract

       --flowextract-enable[=false]      extract and forward flow metadata

       --flowextract-submission-exchange="flows"      Exchange to which raw flow events will be submitted

       --flowextract-submission-url="amqp://guest:guest@localhost:5672/"      URL to which raw flow events  will
       be submitted

       -n, --flowreport-interval=0s      time interval for report submissions

       --flowreport-nocompress[=false]      send uncompressed flow reports (default is gzip)

       --flowreport-submission-exchange="aggregations"      Exchange to which flow reports will be submitted

       --flowreport-submission-url="amqp://guest:guest@localhost:5672/"       URL  to which flow reports will be
       submitted

       --flushcount=100000      maximum number of events in one batch (e.g. for flow extraction)

       -f, --flushtime=1m0s      time interval for event aggregation

       -T, --fwd-all-types[=false]      forward all event types

       -t, --fwd-event-types=[alert,stats]      event types to forward to socket

       --heartbeat-enable[=false]      Forward HTTP heartbeat event

       --heartbeat-times=[]      Times of day to send heartbeat (list of 24h HH:MM strings)

       -h, --help[=false]      help for run

       --in-buffer-drop[=true]      drop incoming events on FEVER side instead of blocking the input socket

       --in-buffer-length=500000      input buffer length (counted in EVE objects)

       -r, --in-redis=""      Redis input server (assumes "suricata" list key, no pwd)

       --in-redis-nopipe[=false]      do not use Redis pipelining

       -i, --in-socket="/tmp/suri.sock"      filename of input socket (accepts EVE JSON)

       --ip-alert-prefix="IP-BLACKLIST"      String prefix for IP blacklist alerts

       --ip-blacklist=""      List with IP ranges to alert on

       --logfile=""      Path to log file

       --logjson[=false]      Output logs in JSON format

       --metrics-enable[=false]      submit performance metrics to central sink

       --metrics-submission-exchange="metrics"      Exchange to which metrics will be submitted

       --metrics-submission-url="amqp://guest:guest@localhost:5672/"      URL to which metrics will be submitted

       -o, --out-socket="/tmp/suri-forward.sock"       path  to  output  socket  (to  forwarder),  empty  string
       disables forwarding

       --pdns-enable[=false]      collect and forward aggregated passive DNS data

       --pdns-submission-exchange="pdns"      Exchange to which passive DNS events will be submitted

       --pdns-submission-url="amqp://guest:guest@localhost:5672/"       URL  to which passive DNS events will be
       submitted

       --profile=""      enable runtime profiling to given file

       --reconnect-retries=0      number of retries connecting to socket or sink, 0 = no retry limit

       --toolname="fever"      set toolname

       -v, --verbose[=false]      enable verbose logging (debug log level)


OPTIONS INHERITED FROM PARENT COMMANDS
       --config=""      config file (default is $HOME/.fever.yaml)

       --mgmt-host=""      hostname:port definition for management server

       --mgmt-network="tcp"      network (tcp/udp) definition for management server

       --mgmt-socket="/tmp/fever-mgmt.sock"      Socket path for management server


SEE ALSO
       fever(1)

FEVER                                               Jul 2025                                        FEVER-RUN(1)