diff --git a/libraries/libapparmor/include/aalogparse.h b/libraries/libapparmor/include/aalogparse.h
index 1eee33a68..aab0093ff 100644
--- a/libraries/libapparmor/include/aalogparse.h
+++ b/libraries/libapparmor/include/aalogparse.h
@@ -159,6 +159,8 @@ typedef struct
 	char *fs_type;
 	char *flags;
 	char *src_name;
+
+	char *class;
 } aa_log_record;
 
 /**
diff --git a/libraries/libapparmor/src/grammar.y b/libraries/libapparmor/src/grammar.y
index 0517bfdd8..8afd0c39f 100644
--- a/libraries/libapparmor/src/grammar.y
+++ b/libraries/libapparmor/src/grammar.y
@@ -187,6 +187,7 @@ aa_record_event_type lookup_aa_event(unsigned int type)
 %token TOK_KEY_FSTYPE
 %token TOK_KEY_FLAGS
 %token TOK_KEY_SRCNAME
+%token TOK_KEY_CLASS
 
 %token TOK_SOCKLOGD_KERNEL
 %token TOK_SYSLOG_KERNEL
@@ -431,6 +432,8 @@ key: TOK_KEY_OPERATION TOK_EQUALS TOK_QUOTED_STRING
 		ret_record->event = AA_RECORD_INVALID;
 		ret_record->info = $1;
 	}
+	| TOK_KEY_CLASS TOK_EQUALS TOK_QUOTED_STRING
+	{ ret_record->class = $3; }
 	;
 
 apparmor_event:
diff --git a/libraries/libapparmor/src/libaalogparse.c b/libraries/libapparmor/src/libaalogparse.c
index 6e7c4b797..d4f0c1737 100644
--- a/libraries/libapparmor/src/libaalogparse.c
+++ b/libraries/libapparmor/src/libaalogparse.c
@@ -103,6 +103,8 @@ void free_record(aa_log_record *record)
 			free(record->flags);
 		if (record->src_name != NULL)
 			free(record->src_name);
+		if (record->class != NULL)
+			free(record->class);
 
 		free(record);
 	}
diff --git a/libraries/libapparmor/src/scanner.l b/libraries/libapparmor/src/scanner.l
index 65973a0df..e663f787a 100644
--- a/libraries/libapparmor/src/scanner.l
+++ b/libraries/libapparmor/src/scanner.l
@@ -171,6 +171,7 @@ key_peer		"peer"
 key_fstype		"fstype"
 key_flags		"flags"
 key_srcname		"srcname"
+key_class		"class"
 audit			"audit"
 
 /* network addrs */
@@ -361,6 +362,7 @@ yy_flex_debug = 0;
 {key_fstype}		{ return(TOK_KEY_FSTYPE); }
 {key_flags}		{ BEGIN(safe_string); return(TOK_KEY_FLAGS); }
 {key_srcname}		{ BEGIN(safe_string); return(TOK_KEY_SRCNAME); }
+{key_class}		{ BEGIN(safe_string); return(TOK_KEY_CLASS); }
 
 {socklogd_kernel}	{ BEGIN(dmesg_timestamp); return(TOK_SOCKLOGD_KERNEL); }
 {syslog_kernel}		{ BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
diff --git a/libraries/libapparmor/swig/python/test/test_python.py.in b/libraries/libapparmor/swig/python/test/test_python.py.in
index 29fd05116..02b4c39ee 100644
--- a/libraries/libapparmor/swig/python/test/test_python.py.in
+++ b/libraries/libapparmor/swig/python/test/test_python.py.in
@@ -35,6 +35,7 @@ OUTPUT_MAP = {
     'Local port':       'net_local_port',
     'Foreign port':     'net_foreign_port',
     'Audit subid':      'audit_sub_id',
+    'Class':            '_class',
 }
 
 # FIXME: pull this automatically out of LibAppArmor, but swig
@@ -109,7 +110,7 @@ class AAPythonBindingsTests(unittest.TestCase):
         """parse the swig created record and construct a dict from it"""
 
         new_record = dict()
-        for key in [x for x in dir(record) if not (x.startswith('_') or x == 'this')]:
+        for key in [x for x in dir(record) if not (x.startswith('__') or x == 'this')]:
             value = getattr(record, key)
             if key == "event" and value in EVENT_MAP:
                 new_record[key] = EVENT_MAP[value]
diff --git a/libraries/libapparmor/testsuite/test_multi.c b/libraries/libapparmor/testsuite/test_multi.c
index 016077192..f4092a870 100644
--- a/libraries/libapparmor/testsuite/test_multi.c
+++ b/libraries/libapparmor/testsuite/test_multi.c
@@ -134,6 +134,8 @@ int print_results(aa_log_record *record)
 		print_string("Flags", record->flags);
 		print_string("Src name", record->src_name);
 
+		print_string("Class", record->class);
+
 		print_long("Epoch", record->epoch, 0);
 		print_long("Audit subid", (long) record->audit_sub_id, 0);
 	return(0);
diff --git a/utils/apparmor/logparser.py b/utils/apparmor/logparser.py
index 5fc3acc68..69b5fdd1a 100644
--- a/utils/apparmor/logparser.py
+++ b/utils/apparmor/logparser.py
@@ -102,6 +102,7 @@ class ReadLog:
         ev['family'] = event.net_family
         ev['protocol'] = event.net_protocol
         ev['sock_type'] = event.net_sock_type
+        ev['class'] = event._class
 
         if event.ouid != ctypes.c_ulong(-1).value:  # ULONG_MAX
             ev['fsuid'] = event.fsuid
diff --git a/utils/test/test-capability.py b/utils/test/test-capability.py
index d39e5fa25..3bb64b817 100644
--- a/utils/test/test-capability.py
+++ b/utils/test/test-capability.py
@@ -124,6 +124,7 @@ class CapabilityTest(AATest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = CapabilityRule(parsed_event['name'], log_event=parsed_event)
diff --git a/utils/test/test-change_profile.py b/utils/test/test-change_profile.py
index 38375fc3d..426884868 100644
--- a/utils/test/test-change_profile.py
+++ b/utils/test/test-change_profile.py
@@ -129,6 +129,7 @@ class ChangeProfileTestParseFromLog(ChangeProfileTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = ChangeProfileRule(None, ChangeProfileRule.ALL, parsed_event['name2'], log_event=parsed_event)
diff --git a/utils/test/test-dbus.py b/utils/test/test-dbus.py
index e3f69ae0c..5ff8f90cc 100644
--- a/utils/test/test-dbus.py
+++ b/utils/test/test-dbus.py
@@ -162,6 +162,7 @@ class DbusTestParseFromLog(DbusTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         # # XXX send rules must not contain name conditional, but the log event includes it - how should we handle this in logparser.py?
diff --git a/utils/test/test-file.py b/utils/test/test-file.py
index ade409f3e..227e4380e 100644
--- a/utils/test/test-file.py
+++ b/utils/test/test-file.py
@@ -177,6 +177,7 @@ class FileTestParseFromLog(FileTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         #     FileRule path,                 perms,                         exec_perms, target,       owner, file_keyword, leading_perms
diff --git a/utils/test/test-logparser.py b/utils/test/test-logparser.py
index c38759d7c..39acae0e5 100644
--- a/utils/test/test-logparser.py
+++ b/utils/test/test-logparser.py
@@ -95,6 +95,7 @@ class TestParseEvent(AATest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         self.assertIsNotNone(ReadLog.RE_LOG_ALL.search(event))
diff --git a/utils/test/test-network.py b/utils/test/test-network.py
index 465003b6f..d9858cd05 100644
--- a/utils/test/test-network.py
+++ b/utils/test/test-network.py
@@ -132,6 +132,7 @@ class NetworkTestParseFromLog(NetworkTest):
             'attr': None,
             'name2': None,
             'name': None,
+            'class': None,
         })
 
         obj = NetworkRule(parsed_event['family'], parsed_event['sock_type'], log_event=parsed_event)
diff --git a/utils/test/test-ptrace.py b/utils/test/test-ptrace.py
index 1d6a60289..6eac4bb02 100644
--- a/utils/test/test-ptrace.py
+++ b/utils/test/test-ptrace.py
@@ -118,6 +118,7 @@ class PtraceTestParseFromLog(PtraceTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = PtraceRule(parsed_event['denied_mask'], parsed_event['peer'], log_event=parsed_event)
diff --git a/utils/test/test-signal.py b/utils/test/test-signal.py
index ac68b12e5..e272adedf 100644
--- a/utils/test/test-signal.py
+++ b/utils/test/test-signal.py
@@ -123,6 +123,7 @@ class SignalTestParseFromLog(SignalTest):
             'family': None,
             'protocol': None,
             'sock_type': None,
+            'class': None,
         })
 
         obj = SignalRule(parsed_event['denied_mask'], parsed_event['signal'], parsed_event['peer'], log_event=parsed_event)