Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Rulesets

Rulesets are collections of rules and alerts used to detect specific patterns or events in your data. They are configured via TOML files stored in the extra directory (/var/lib/crystalline/extra by default).

Directory Structure

Rulesets follow a specific directory structure within the extra directory:

extra/
└── rulesets/
    └── <ruleset_name>/
        ├── rules/
        │   └── *.toml          # Rule definitions
        └── alerts.toml         # Alert definitions

For example:

extra/
└── rulesets/
    └── web_monitor/
        ├── rules/
        │   ├── nginx_errors.toml
        │   └── auth_failures.toml
        └── alerts.toml

The <ruleset_name> becomes the name identifier for all rules and alerts within that group. All rules share access to the same set of alerts defined in the corresponding alerts.toml file.

Loading and Management

Crystalline automatically scans the rulesets directory on startup and monitors it for changes. When files change, the system updates its internal state accordingly.

Each ruleset is identified by its directory name (e.g., web_monitor), and all .toml rule files within the rules/ subdirectory belong to that ruleset. The alerts.toml file defines the alert targets available to those rules.