diff --git a/libraries/libapparmor/testsuite/test_multi/testcase36.err b/libraries/libapparmor/testsuite/test_multi/testcase36.err
new file mode 100644
index 000000000..e69de29bb
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase36.in b/libraries/libapparmor/testsuite/test_multi/testcase36.in
new file mode 100644
index 000000000..626e45e11
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.in
@@ -0,0 +1 @@
+2025-01-27T13:01:36.226987+05:30 sec-plucky-amd64 kernel: audit: type=1400 audit(1737963096.225:3240): apparmor="AUDIT" operation="getattr" class="file" profile="/usr/sbin/mosquitto" name="/etc/mosquitto/pwfile" pid=8119 comm="mosquitto" requested_mask="r" fsuid=122 ouid=122
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase36.out b/libraries/libapparmor/testsuite/test_multi/testcase36.out
new file mode 100644
index 000000000..24e0da758
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.out
@@ -0,0 +1,15 @@
+START
+File: testcase36.in
+Event type: AA_RECORD_AUDIT
+Audit ID: 1737963096.225:3240
+Operation: getattr
+Mask: r
+fsuid: 122
+ouid: 122
+Profile: /usr/sbin/mosquitto
+Name: /etc/mosquitto/pwfile
+Command: mosquitto
+PID: 8119
+Class: file
+Epoch: 1737963096
+Audit subid: 3240
diff --git a/libraries/libapparmor/testsuite/test_multi/testcase36.profile b/libraries/libapparmor/testsuite/test_multi/testcase36.profile
new file mode 100644
index 000000000..0b69d04d7
--- /dev/null
+++ b/libraries/libapparmor/testsuite/test_multi/testcase36.profile
@@ -0,0 +1,4 @@
+/usr/sbin/mosquitto {
+  /etc/mosquitto/pwfile r,
+
+}
diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
index 893ccb353..082314f04 100644
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -131,7 +131,7 @@ class ReadLog:
             return 'pivot_root'
         elif e['class'] and e['class'] == 'net' and e['family'] and e['family'] == 'unix':
             return 'unix'
-        elif self.op_type(e) == 'file':
+        elif e['class'] == 'file' or self.op_type(e) == 'file':
             return 'file'
         elif e['operation'] == 'capable':
             return 'capability'
@@ -337,7 +337,7 @@ class ReadLog:
             UnixRule.hashlog_from_event(self.hashlog[aamode][full_profile]['unix'], e)
             return
 
-        elif self.op_type(e) == 'file':
+        elif e['class'] == 'file' or self.op_type(e) == 'file':
             FileRule.hashlog_from_event(self.hashlog[aamode][full_profile]['file'], e)
 
         elif e['operation'] == 'capable':