rule {
     rule_name = "start"
     syscall_name = fork
     when = before 
     filter_expression { 2 } 
     action { type = LOG }
}

rule { 
     rule_name = "stop"
     syscall_name = exit
     action { type = LOG }
}