The issue here is that logwatch does match apparmor STATUS messages generally, but not when they have profile="unconfined" between operation and name.
I didn't find authoritative documentation on what this log entry means, but the answer to the following askubuntu post suggests this may be recording the disabling of an apparmor profile - something that may be of concern to sysadmins and thus should be flagged as noteworthy in the logwatch report. https://askubuntu.com/questions/825274/apparmor-audit-logs-what-does- this-mean ** Also affects: logwatch (Ubuntu Groovy) Importance: High Status: Triaged ** Also affects: logwatch (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: logwatch (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: logwatch (Ubuntu Xenial) Status: New => Triaged ** Changed in: logwatch (Ubuntu Bionic) Status: New => Triaged ** Changed in: logwatch (Ubuntu Focal) Status: New => Triaged ** Changed in: logwatch (Ubuntu Xenial) Importance: Undecided => High ** Changed in: logwatch (Ubuntu Bionic) Importance: Undecided => High ** Changed in: logwatch (Ubuntu Focal) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1577948 Title: unmatched entries for apparmor STATUS messages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/logwatch/+bug/1577948/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
