rule { rule_name = "start" syscall_name = fork when = before filter_expression { 2 } action { type = LOG } } rule { rule_name = "stop" syscall_name = exit action { type = LOG } }