##
##  sec.rule -- sec(1) configuration rules
##

#
#   Sample rule set for classical FTP server output
#

#type=single
#continue=takenext
#ptype=regexp
#pattern=ftpd\[(\d+)\]: \S+ \(foo.*FTP session opened
#desc=ftp session opened for foo pid $1
#action=create ftp_$1

#type=single
#continue=takenext
#ptype=regexp
#pattern=ftpd\[(\d+)\]:
#context=ftp_$1
#desc=ftp session event for foo pid $1
#action=add ftp_$1 $0; set ftp_$1 1800 \
#       (report ftp_$1 /bin/mail root@localhost)

#type=single
#ptype=regexp
#pattern=ftpd\[(\d+)\]: \S+ \(foo.*FTP session closed
#desc=ftp session closed for foo pid $1
#action=report ftp_$1 /bin/mail root@localhost; \
#       delete ftp_$1