Event and Object Analysis > Capture Results Filtering > Filtration Basics

Rules consist of criteria (a match) with one or more conditions, and one or more actions which are performed if the criteria are matched.

Rules are defined within tables with the <rule> XML tag.

A rule can have an optional name specified in the name attribute of the <rule> XML tag.

A rule can have an optional comment specified with the <comment> XML tag.

A rule can be enabled (it will be applied in the current configuration) or disabled (it will be ignored when the current configuration is applied). The active status of the rule is defined by the mandatory enabled attribute of the <rule> XML tag. The enabled attribute can have the following values:

1 or true:
The rule is enabled and participates in messages filtering.

0 or false:
The rule is disabled and does not participate in messages filtering (is ignored).

Rule criteria are defined by the <match> XML tag inside the rule. Rule actions are defined by the sequence of <action> XML tags inside the rule.

For example:

<?xml version="1.0" encoding="utf-8"?>
<filter name="main filter" version="1.0">
<comment>This is a comment.</comment>

<table name="main">
<comment>This is a comment for the table "main".</comment>
<rule enabled="1">
<match ...> ... </match>
<action ...> ... </action>
</rule>

<rule name="spam" enabled="1">
<comment>The rule for the messages of the SPAM category.</comment>
<match ...> ... </match>
<action ...> ... </action>
<action ...> ... </action>
<action ...> ... </action>
</rule>

<rule enabled="1">
<action name="drop" />
</rule>

</table>
</filter>

In this example, the "main" table contains three rules, all of them enabled. The second rule (unlike the first one) has a name, a comment and several actions. The third rule is the mandatory terminating rule which rejects all the messages not accepted by the rules above it.

If the rule contains no <match> criteria or the match is empty (<match />), the "all messages" match is implied: <c name="all"/>.