You declare conditionals and comparisons to ensure you trigger actions only when necessary. Conditionals and comparisons help you filter event source output parameters. Consider the following example from the telnet rule:
$message =~ /telnet/
$source =~ /telnet/
Because you can find these entries in an Or child element of the telnet login rule, you know the rule triggers when any one of the comparisons is true. When the syslog event source generates a $message or a $source parameter equivalent to telnet, the event detection and alerting daemon searches the output parameters and triggers the defined actions.
To trigger an action when both comparisons are met, you create And comparisons. And comparisons trigger rule actions when both comparisons evaluate as true.
The hierarchy of the tree graphically represents the order in which conditional and comparison expressions are evaluated. While the tree displays one conditional or comparison under the rule element, the And or Or may have numerous child elements. Rules that do not have conditional or comparison statements must have main code to trigger. For more information, see Section 8.11, Understanding Main Code.
Rules that contain a comparison not as a child element of an And or Or comparison is not a conditional. These comparisons trigger actions when the event detection and alerting daemon evaluates the statement as true.
To edit comparisons or conditionals, right-click the rule you want to modify. To associate comparisons with a conditional, R=right-click the conditional, and then click Add Comparison. Comparisons are labeled with the output parameter name, equation, and value describing the comparison. For example, $message =~ /telnet/.
NOTE:When defining the Value property, enclose regular expressions with slashes (/) to indicate that the value is a regular expression. For example, /telnet/ designates telnet is a regular expression.