rockfish report
The reporting service — generates HTML dashboards, serves them over HTTP, and manages compact/prune operations.
Overview
rockfish report runs as a separate service from rockfish sigma. It reads Parquet data produced by the SIGMA engine and generates a static HTML dashboard that can be served over HTTP.
It combines:
- HTML report generation — continuous, regenerates every 10 minutes (configurable)
- HTTP server — serves reports via
--serve - Compact — merges small Parquet files hourly
- Prune — removes old Parquet files daily (90-day retention)
- Insight — AI-generated security assessment (daily, requires
ANTHROPIC_API_KEY)
Usage
rockfish report \
--data-dir /var/lib/rockfish/parquet \
--sensor fmadio20p3-798-ubuntu22 \
--hive \
--output-dir /var/lib/rockfish/reports \
--continuous \
--interval-minutes 10 \
--serve --port 8080 \
--license /opt/rockfish/etc/rockfish_license.json
Systemd Service
[Unit]
Description=Rockfish NDR — Reporting Service
After=network.target rockfish.service
[Service]
Type=simple
User=rockfish
Group=rockfish
ExecStart=/opt/rockfish/bin/rockfish report \
--data-dir /var/lib/rockfish/parquet \
--sensor fmadio20p3-798-ubuntu22 \
--hive \
--output-dir /var/lib/rockfish/reports \
--continuous \
--interval-minutes 10 \
--serve --port 8080 \
--license /opt/rockfish/etc/rockfish_license.json
Restart=on-failure
[Install]
WantedBy=multi-user.target
Background Threads
| Thread | Schedule | Description |
|---|---|---|
| Report | Every 10 min | Regenerates HTML dashboard |
| HTTP | Always on | Serves reports on configured port |
| Compact | Hourly | Merges small Parquet files |
| Prune | Daily (midnight UTC) | Deletes files older than 90 days |
Insight (AI Assessment)
When ANTHROPIC_API_KEY is set, the report generates an AI-powered security assessment once per day.
ANTHROPIC_API_KEY— requiredANTHROPIC_MODEL— default:claude-haiku-4-5-20251001
Overview
The report command produces interactive HTML dashboards with Chart.js and D3.js visualizations — no web server required. Reports include 12+ pages covering alerts, threats, DNS, TLS, flows, hosts, network topology, asset inventory, and hunt findings.
Usage
rockfish report [OPTIONS]
Report Pages
| Page | Highlights |
|---|---|
| Overview | Traffic volume, hourly charts, event counts, top talkers, protocol breakdown |
| Alerts | Severity timeline, top signatures, alerted hosts, MITRE ATT&CK mapping |
| Findings | Hunt detection results by severity and type, evidence table |
| Threats | IP reputation, beaconing, large transfers, DGA, DNS tunneling, port scans |
| DNS | Top domains, response codes (NOERROR, NXDOMAIN, SERVFAIL), DGA indicators |
| TLS | Version distribution, SNI hostnames, JA3 fingerprints, self-signed certs |
| Applications | Protocol distribution, hourly stacked charts, top HTTP hosts |
| Flows | Volume and direction, destination ports, top countries (GeoIP) |
| Hosts | Top alerted hosts, top talkers by flow count and volume |
| Network | Force-directed graph with IP/24/16 aggregation, threat and anomaly overlays |
| Inventory | Passive device discovery, device roles, OT protocol summary |
| Query | Conversational AI interface (requires rockfish chat) |
Visualization Features
- World Map — Leaflet.js with country-level flow, alert, and reputation overlays
- Network Graph — D3.js force-directed topology with Flows/Alerts/Hunt toggle layers, including anomaly (iForest/HBOS) findings overlay
- Heat-Mapped Tables — Gradient backgrounds for volume, severity, and scores
- Collapsible Tables — Expand/collapse with JSON export
- Severity Colors — Consistent palette: critical (red) through info (blue)
Options
| Option | Default | Description |
|---|---|---|
-d, --data-dir | ./output | Data directory with Parquet files |
--sensor | sensor | Sensor name subdirectory |
--hive | — | Enable hive-style partitioning |
-o, --output-dir | ./report | Output directory for HTML |
-t, --time-window | 24 hours | Time window filter |
--theme | — | YAML theme configuration |
--custom-css | — | Custom CSS file path |
--continuous | — | Regenerate on schedule |
--interval-minutes | 5 | Minutes between regenerations |
Theming
Customize report appearance with a YAML theme file:
# theme.yaml
background: "#0d1117"
surface: "#161b22"
text: "#e6edf3"
text_heading: "#ffffff"
accent: "#1a73e8"
rockfish report -d /data --sensor my-sensor --theme theme.yaml
See theme.yaml.example for all available options.
Custom Logo
Replace the default Rockfish logo with your own branding. Requires Standard or Enterprise license.
# theme.yaml
logo_path: "/path/to/your-logo.png"
| Property | Value |
|---|---|
| Formats | PNG, JPEG |
| Recommended size | 200 x 36 pixels |
| Display height | 36px (width scales proportionally) |
The logo appears in the header bar of every report page.
Demo Mode
Generate a report with synthetic data to showcase all features:
rockfish report --demo -o ./demo-report
Demo mode is available on all license tiers.
Continuous Mode
# Regenerate every 5 minutes (default)
rockfish report -d /data --sensor my-sensor --hive --continuous
# Regenerate every 15 minutes
rockfish report -d /data --sensor my-sensor --hive \
--continuous --interval-minutes 15
Examples
# 24-hour report
rockfish report -d /data/rockfish --sensor prod-01 --hive \
-o /var/www/html/ndr
# 7-day report with custom theme
rockfish report -d /data --sensor prod-01 --hive \
-t "7 days" --theme /etc/rockfish/theme.yaml
# Continuous regeneration for live dashboard
rockfish report -d /data --sensor prod-01 --hive \
--continuous --interval-minutes 10 -o /var/www/html/ndr