How do I track events in which a specific rule is tripped?
Would I use a counter or write to a log file?
If I do the latter, what event data can I put into the log?
My recommendation is to always use what has been given to you, in that vain you can just mimic the access log rule, but modify the criteria and what log it is written to.
See screenshot below as well as attached ruleset (which is just a variation on the default access log).