All invalid rules will be ignored.
Log Checking Rules for Sensor: [HOST_NAME] (SID: [SID] )
[CURRENT_CONF] Once Rules have been updated, [INODE=###][PREV_MATCHES=###] appears in the rule. Leave this there unless you are an advanced user. These values stop DEMARC from notifying you more than once about the same violation.

Rules should be in the form:	alert_level;path_to_logfile;target_regex;threshhold_number;comment_or_description

alert_level	Options: red or yellow The level of alert that will be generated if the number of matching log entries fall outside of specified parameters.
path_to_logfile	The path to the logfile that should be monitored. (ie /var/log/messages)
target_regex	The string or simple regex that will match the log enties you wish to monitor. ie: INVALID LOGIN or kernel.*promiscuous (would match kernel: fxp0: promiscuous mode enabled)
threshhold_number	If the number number of matches in the logfile reaches or passes this number, the specified alert_level will be generated. Default is 1.
comment_or_description	Optional comment or description that will appear if this alert is triggered. (ie: "Too many invalid logins")