Add CRE-2026 log-based rules for popular Kubernetes OSS projects (#167)

Co-authored-by: Tony Meehan <tonymeehan@users.noreply.github.com>

Author: tonymeehan

rules/cre-2026-0001/0001-elasticsearch-master-not-discovered-cluster-formation-failur.yaml

@@ -0,0 +1,35 @@
+rules:
+  - cre:
+      id: CRE-2026-0001
+      severity: 1
+      title: "Elasticsearch master not discovered / cluster formation failure"
+      category: kubernetes-problem
+      author: Prequel (draft)
+      description: |
+        Draft rule for Elasticsearch/Kibana reliability issues (logs-first).
+      cause: |
+        See references.
+      impact: |
+        Reliability degradation or outage symptoms.
+      impactScore: 6
+      tags:
+        - public
+        - kubernetes
+      mitigation: |
+        Follow upstream guidance; validate in your environment.
+      mitigationScore: 6
+      references:
+        - https://www.elastic.co/guide/en/elasticsearch/reference/current/discovery-troubleshooting.html
+      applications:
+        - name: elastic
+          version: "*"
+    metadata:
+      kind: prequel
+      id: FXwiLMB7hjrZHJjGSpDdW8
+      gen: 1
+    rule:
+      set:
+        event:
+          source: cre.log.elasticsearch
+        match:
+          - value: "master not discovered yet"

rules/cre-2026-0001/test.log

@@ -0,0 +1 @@
+2026-01-01 00:00:00.000000+00:00 master not discovered yet

rules/cre-2026-0002/0002-elasticsearch-disk-watermark-triggered-flood-stage-read-only.yaml

@@ -0,0 +1,35 @@
+rules:
+  - cre:
+      id: CRE-2026-0002
+      severity: 1
+      title: "Elasticsearch disk watermark triggered (flood-stage / read-only indices)"
+      category: kubernetes-problem
+      author: Prequel (draft)
+      description: |
+        Draft rule for Elasticsearch/Kibana reliability issues (logs-first).
+      cause: |
+        See references.
+      impact: |
+        Reliability degradation or outage symptoms.
+      impactScore: 6
+      tags:
+        - public
+        - kubernetes
+      mitigation: |
+        Follow upstream guidance; validate in your environment.
+      mitigationScore: 6
+      references:
+        - https://www.elastic.co/guide/en/elasticsearch/reference/current/fix-watermark-errors.html
+      applications:
+        - name: elastic
+          version: "*"
+    metadata:
+      kind: prequel
+      id: f2aKPd2GJJayyy1PuCwhuo
+      gen: 1
+    rule:
+      set:
+        event:
+          source: cre.log.elasticsearch
+        match:
+          - value: "flood stage disk watermark [95%] exceeded"

rules/cre-2026-0002/test.log

@@ -0,0 +1 @@
+2026-01-01 00:00:00.000000+00:00 flood stage disk watermark [95%] exceeded

rules/cre-2026-0003/0003-elasticsearch-circuit-breaker-exceptions-memory-pressure.yaml

@@ -0,0 +1,35 @@
+rules:
+  - cre:
+      id: CRE-2026-0003
+      severity: 1
+      title: "Elasticsearch circuit breaker exceptions (memory pressure)"
+      category: kubernetes-problem
+      author: Prequel (draft)
+      description: |
+        Draft rule for Elasticsearch/Kibana reliability issues (logs-first).
+      cause: |
+        See references.
+      impact: |
+        Reliability degradation or outage symptoms.
+      impactScore: 6
+      tags:
+        - public
+        - kubernetes
+      mitigation: |
+        Follow upstream guidance; validate in your environment.
+      mitigationScore: 6
+      references:
+        - https://www.elastic.co/guide/en/elasticsearch/reference/current/circuit-breaker.html
+      applications:
+        - name: elastic
+          version: "*"
+    metadata:
+      kind: prequel
+      id: EhpzTiganXBWNGAYV8WH2n
+      gen: 1
+    rule:
+      set:
+        event:
+          source: cre.log.elasticsearch
+        match:
+          - value: "CircuitBreakingException: Data too large"

rules/cre-2026-0003/test.log

@@ -0,0 +1 @@
+2026-01-01 00:00:00.000000+00:00 CircuitBreakingException: Data too large

rules/cre-2026-0004/0004-elasticsearch-jvm-gc-overhead-stop-the-world-pressure.yaml

@@ -0,0 +1,35 @@
+rules:
+  - cre:
+      id: CRE-2026-0004
+      severity: 1
+      title: "Elasticsearch JVM GC overhead / stop-the-world pressure"
+      category: kubernetes-problem
+      author: Prequel (draft)
+      description: |
+        Draft rule for Elasticsearch/Kibana reliability issues (logs-first).
+      cause: |
+        See references.
+      impact: |
+        Reliability degradation or outage symptoms.
+      impactScore: 6
+      tags:
+        - public
+        - kubernetes
+      mitigation: |
+        Follow upstream guidance; validate in your environment.
+      mitigationScore: 6
+      references:
+        - https://www.elastic.co/guide/en/elasticsearch/reference/current/high-jvm-memory-pressure.html
+      applications:
+        - name: elastic
+          version: "*"
+    metadata:
+      kind: prequel
+      id: 5LxjgSuYertf6AqPrB7rEo
+      gen: 1
+    rule:
+      set:
+        event:
+          source: cre.log.elasticsearch
+        match:
+          - value: "JvmGcMonitorService] [gc] overhead"

rules/cre-2026-0004/test.log

@@ -0,0 +1 @@
+2026-01-01 00:00:00.000000+00:00 JvmGcMonitorService] [gc] overhead

rules/cre-2026-0005/0005-elasticsearch-shard-allocation-failures-unassigned-shards.yaml

@@ -0,0 +1,35 @@
+rules:
+  - cre:
+      id: CRE-2026-0005
+      severity: 1
+      title: "Elasticsearch shard allocation failures / unassigned shards"
+      category: kubernetes-problem
+      author: Prequel (draft)
+      description: |
+        Draft rule for Elasticsearch/Kibana reliability issues (logs-first).
+      cause: |
+        See references.
+      impact: |
+        Reliability degradation or outage symptoms.
+      impactScore: 6
+      tags:
+        - public
+        - kubernetes
+      mitigation: |
+        Follow upstream guidance; validate in your environment.
+      mitigationScore: 6
+      references:
+        - https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-allocation-explain.html
+      applications:
+        - name: elastic
+          version: "*"
+    metadata:
+      kind: prequel
+      id: 35AcquPYNCwxfSGkR9Wq5E
+      gen: 1
+    rule:
+      set:
+        event:
+          source: cre.log.elasticsearch
+        match:
+          - value: "unassigned shards"

rules/cre-2026-0005/test.log

@@ -0,0 +1 @@
+2026-01-01 00:00:00.000000+00:00 unassigned shards