Changing the value of the RawCapture property in the rules file

Most probes read properties once at startup, so changing probe properties after startup does not usually affect probe behavior. However, you can set the RawCapture property in the rules file, so that you can send the raw event data to a file only when certain conditions are met.

The setting for the raw capture mode takes effect for the current event.

For example:

# Start rules processing
%RawCapture=0

if (condition) {
	# Send the current event to the raw capture file 
	%RawCapture=1
}

You can enable raw capture mode globally by setting the -raw command-line option or the RawCapture property in the probe properties file.