The Configuration File

The configuration file contains a list of rules. A rule might look like this:

rule
{
    syscall_name=unlink
    rule_name=second_unlink_rule
    when:before
    filter_expression {PARAMS[1] in ("passwd", "/etc/passwd")}
    action:LOG
}

In addition, the logging format may be specified, like this:

log_format 
{
    before {syscall: %pid[%comm]: %sid_%sname(%params) (r %ruleid)}
    after {syscall: %pid[%comm]: %sid_%sname(%params) = %retval (r %ruleid)}
}