RQL (Ruhis Query Language) is a query language designed for querying security logs. It was initially designed to be used in Vanguard, but I decided to make it a separate projects, because I thought it could be useful for other projects as well. RQL is heavily inspired by KQL and XQL. It is coded with TypeScript and is available as an npm package @ruhisfi/rql and it’s source code is available on GitHub.
RQL can be used to query and filter large amounts of data from almost any data source. It is designed to be easy to use and to have a very simple syntax. Here is an example of a query that could be used to fetch the 100 most recent logs from a specific IP range:
dataset = fw_traffic_raw
| filter src_ip incidr 192.168.1.0/24
| fields _time, src_ip, dst_ip, dst_port
| sort _time desc
| limit 100
Quality assurance, testing and documentation
RQL has a comprehensive test suite that covers all of the query validation and execution logic. RQL is used in such critical systems that it is important to ensure that it works as expected.
RQL syntax is very simple and easy to understand, but it also has comprehensive documentation that covers all of the features. The documentation is available on the GitHub page.