Hello, the attached patch adds some functionality to ausearch. It consists of two main parts: ausearch_add_interpreted_item() behaves like ausearch_add_item(), but the conditions are evaluated by comparing the interpreted field value, not the raw value (e.g. ("uid", "=", "mitr") instead of ("uid", "=", "500"). In principle, the application using ausearch could contain it's own code to "un-interpret" field values, but I think it is cleaner when the only place that maps raw and interpreted value is libauparse. The current implementation simply interprets the value of each field before performing the comparison; in the future, the implementation could be changed to "un-interpret" the supplied value when creating the rule if the current implementation turns out to be too slow. ausearch_add_timestamp_item() allows placing conditions on event timestamp. In addition, the patch fixes checking whether the operator is unknown in ausearch_add_item(). Mirek