Have you tested whether this rule works? I can't get it to function correctly.
I have and it does work if you reduce the log size (e.g. delete some stuff). But if you replace content like 'Bob' with 'Rob' it won't fire.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
