ausearch_add_interpreted_item - Linux


ausearch_add_interpreted_item is a command-line tool used to add an interpreted item to the audit subsystem. An interpreted item is an Audit event that is created by an auditd plugin to analyze raw audit data and generate meaningful audit events. It provides a flexible way to customize and extend the audit system.


ausearch_add_interpreted_item [options] <item_key> [args...]


  • -h, –help: Display help information.
  • -i, –ignore_fprint: Ignore file fingerprint.
  • -I, –item_dir: Path to the directory containing interpreted item definitions (default: /etc/audit/rules.d).
  • -t, –test: Test the interpreted item without actually adding it to the system.


Example 1: Add an interpreted item that generates an event when a user logs in:

ausearch_add_interpreted_item login_event \
    -a always,exit \
    -F auid>=1000 \
    -F key=session \
    -F exe=/bin/login

Example 2: Test an interpreted item before adding it:

ausearch_add_interpreted_item -t login_event \
    -F key=session \
    -F exe=/bin/login

Common Issues

  • Make sure that the interpreted item definition is valid and follows the correct syntax.
  • Ensure that the auditd service is running and audit plugins are loaded.


ausearch_add_interpreted_item can be used together with other Linux commands to automate security monitoring tasks. For example, it can be used with ausearch to search for events generated by interpreted items.

Related Commands

  • auditctl – Controls the kernel audit subsystem.
  • ausearch – Searches for audit events.
  • augenrules – Generates audit rules from a policy file.