Skip to main content

Quick Introduction

Prequel rules leverage distributed sequencing, correlations, and negative conditions to describe distributed and asynchronous reliability problems. They are expressed with simple Yaml objects.

A rule describes a network (or tree) of conditions that must be true across one or more data source. A data source can be anything as long as it has a timestamp. Data sources can be located on one machine or distributed across many machines. Rules execute on the machines containing the data. Raw data does not leave the machine.

Expressions are either a sequence or set of conditions:

  • sequence - A, followed by B, followed by C
  • set - A, B, and C (in any order)

Expressions describe:

  • one or more conditions that must be true (positive conditions)
  • zero, one or more conditions that must not be true (negative conditions)

Expressions can be nested (e.g. a set of sequences).

Conditions can be literal values, such as a string, a jq query for structured JSON or Yaml data, or an RE-2 regular expression that will match a pattern in the data source. Conditions can also be a match from another set or sequence of separate conditions on a different data source nested in the rule expression.

Unless the rule contains a single condition, expressions with two or more conditions must provide a window of time in which the conditions should or should not occur. Negative conditions may also provide a window of time in which they must not occur. Negative condition windows describe the time before, during, or after the positive conditions in the same expression.

A correlation on two or more conditions may be used to test whether the conditions share attributes in common. For example, correlations on conditions by host evaluate to true only when all conditions occur on the same machine.

Example: Detecting CRE-2024-007

The following rule describes:

  • A sequence of events that must occur in this specific order in a single abstract data source (more on this later)
  • 11 positive conditions that must occur in order within 30 seconds of each other
  • A single negative condition that must not occur between the first and last positive condition in the sequence
yaml
rule:
  sequence:
    window: 30s
    event:
      source: rabbitmq
    order:
      - regex: Discarding message(.+)in an old incarnation(.+)of this node
        count: 10
      - Mnesia is overloaded
    negate:
      - SIGTERM received - shutting down
info

Try this example the playground.