diff --git a/test/falco_tests.yaml b/test/falco_tests.yaml
index df0c19fa..efd57652 100644
--- a/test/falco_tests.yaml
+++ b/test/falco_tests.yaml
@@ -32,20 +32,10 @@ trace_files: !mux
       - leading_not
       - not_equals_at_end
       - not_at_end
-      - not_before_trailing_evttype
-      - not_equals_before_trailing_evttype
       - not_equals_and_not
-      - not_equals_before_in
-      - not_before_in
-      - not_in_before_in
-      - leading_in_not_equals_before_evttype
       - leading_in_not_equals_at_evttype
       - not_with_evttypes
       - not_with_evttypes_addl
-      - not_equals_before_evttype
-      - not_equals_before_in_evttype
-      - not_before_evttype
-      - not_before_evttype_using_in
     rules_events:
       - no_warnings: [execve]
       - no_evttype: [all]
@@ -1142,6 +1132,8 @@ trace_files: !mux
     detect_level: INFO
     rules_file:
       - rules/syscalls.yaml
+    rules_warning:
+      - detect_madvise
     detect_counts:
       - detect_madvise: 2
       - detect_open: 2
@@ -1160,7 +1152,8 @@ trace_files: !mux
 
   skip_unknown_noevt:
     detect: False
-    stdout_contains: Skipping rule "Contains Unknown Event And Skipping". contains unknown filter proc.nobody
+    rules_warning:
+      - Contains Unknown Event And Skipping
     rules_file:
       - rules/skip_unknown_evt.yaml
     trace_file: trace_files/cat_write.scap
@@ -1175,7 +1168,7 @@ trace_files: !mux
     exit_status: 1
     stderr_contains: |+
       Could not load rules file.*skip_unknown_error.yaml: 1 errors:
-      rule "Contains Unknown Event And Not Skipping". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Not Skipping: error filter_check called with nonexistent field proc.nobody
       ---
       - rule: Contains Unknown Event And Not Skipping
         desc: Contains an unknown event
@@ -1192,7 +1185,7 @@ trace_files: !mux
     exit_status: 1
     stderr_contains: |+
       Could not load rules file .*skip_unknown_unspec.yaml: 1 errors:
-      rule "Contains Unknown Event And Unspecified". contains unknown filter proc.nobody
+      Rule Contains Unknown Event And Unspecified: error filter_check called with nonexistent field proc.nobody
       ---
       - rule: Contains Unknown Event And Unspecified
         desc: Contains an unknown event
diff --git a/test/rules/rule_append.yaml b/test/rules/rule_append.yaml
index 5441947f..0a289f6e 100644
--- a/test/rules/rule_append.yaml
+++ b/test/rules/rule_append.yaml
@@ -16,10 +16,10 @@
 #
 - rule: my_rule
   desc: A process named cat does an open
-  condition: evt.type=open and fd.name=not-a-real-file
+  condition: (evt.type=open and fd.name=not-a-real-file)
   output: "An open of /dev/null was seen (command=%proc.cmdline)"
   priority: WARNING
 
 - rule: my_rule
   append: true
-  condition: or fd.name=/dev/null
+  condition: or (evt.type=open and fd.name=/dev/null)
diff --git a/tests/engine/test_rulesets.cpp b/tests/engine/test_rulesets.cpp
index 45e93431..5fbdff99 100644
--- a/tests/engine/test_rulesets.cpp
+++ b/tests/engine/test_rulesets.cpp
@@ -26,10 +26,21 @@ static uint16_t non_default_ruleset = 3;
 static uint16_t other_non_default_ruleset = 2;
 static std::set<std::string> tags = {"some_tag", "some_other_tag"};
 
+static std::shared_ptr<gen_event_filter> create_filter()
+{
+	// The actual contents of the filters don't matter here.
+	sinsp_filter_compiler compiler(NULL, "evt.type=open");
+	sinsp_filter *f = compiler.compile();
+
+	std::shared_ptr<gen_event_filter> ret(f);
+
+	return ret;
+}
+
 TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -44,7 +55,7 @@ TEST_CASE("Should enable/disable for exact match w/ default ruleset", "[rulesets
 TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -63,7 +74,7 @@ TEST_CASE("Should enable/disable for exact match w/ specific ruleset", "[ruleset
 TEST_CASE("Should not enable for exact match different rule name", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -75,7 +86,7 @@ TEST_CASE("Should not enable for exact match different rule name", "[rulesets]")
 TEST_CASE("Should enable/disable for exact match w/ substring and default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -90,7 +101,7 @@ TEST_CASE("Should enable/disable for exact match w/ substring and default rulese
 TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -102,7 +113,7 @@ TEST_CASE("Should not enable for substring w/ exact_match", "[rulesets]")
 TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -117,7 +128,7 @@ TEST_CASE("Should enable/disable for prefix match w/ default ruleset", "[ruleset
 TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -132,7 +143,7 @@ TEST_CASE("Should enable/disable for suffix match w/ default ruleset", "[ruleset
 TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -147,7 +158,7 @@ TEST_CASE("Should enable/disable for substring match w/ default ruleset", "[rule
 TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 
 	r.add(rule_name, tags, filter);
@@ -166,7 +177,7 @@ TEST_CASE("Should enable/disable for substring match w/ specific ruleset", "[rul
 TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag"};
 
@@ -182,7 +193,7 @@ TEST_CASE("Should enable/disable for tags w/ default ruleset", "[rulesets]")
 TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag"};
 
@@ -202,7 +213,7 @@ TEST_CASE("Should enable/disable for tags w/ specific ruleset", "[rulesets]")
 TEST_CASE("Should not enable for different tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_different_tag"};
 
@@ -215,7 +226,7 @@ TEST_CASE("Should not enable for different tags", "[rulesets]")
 TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> filter = create_filter();
 	string rule_name = "one_rule";
 	std::set<std::string> want_tags = {"some_tag", "some_different_tag"};
 
@@ -231,12 +242,12 @@ TEST_CASE("Should enable/disable for overlapping tags", "[rulesets]")
 TEST_CASE("Should enable/disable for incremental adding tags", "[rulesets]")
 {
 	falco_ruleset r;
-	std::shared_ptr<gen_event_filter> rule1_filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> rule1_filter = create_filter();
 	string rule1_name = "one_rule";
 	std::set<std::string> rule1_tags = {"rule1_tag"};
 	r.add(rule1_name, rule1_tags, rule1_filter);
 
-	std::shared_ptr<gen_event_filter> rule2_filter(new gen_event_filter());
+	std::shared_ptr<gen_event_filter> rule2_filter = create_filter();
 	string rule2_name = "two_rule";
 	std::set<std::string> rule2_tags = {"rule2_tag"};
 	r.add(rule2_name, rule2_tags, rule2_filter);