diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 194e6dc03..2443eaace 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -67,7 +67,8 @@ var (
 		`/att/[^/@]+`, `@{att}/`,
 		`/usr/lib(32|64|exec)`, `@{lib}`,
 		`/usr/lib`, `@{lib}`,
-		`/usr/(bin|sbin)`, `@{bin}`,
+		`/usr/sbin`, `@{sbin}`,
+		`/usr/bin`, `@{bin}`,
 		`(x86_64|amd64|i386|i686)`, `@{arch}`,
 		`@{arch}-*linux-gnu[^/]?`, `@{multiarch}`,
 		`/usr/etc/`, `@{etc_ro}/`,
diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go
index 6ddd5ac9e..376b23f42 100644
--- a/pkg/logs/logs_test.go
+++ b/pkg/logs/logs_test.go
@@ -81,7 +81,7 @@ func TestAppArmorEvents(t *testing.T) {
 			want: AppArmorLogs{
 				{
 					"apparmor":       "ALLOWED",
-					"profile":        "@{bin}/httpd2-prefork//vhost_foo",
+					"profile":        "@{sbin}/httpd2-prefork//vhost_foo",
 					"operation":      "rename_dest",
 					"name":           "@{HOME}/foo.bar.in/httpdocs/apparmor/images/test/image 1.jpg",
 					"comm":           "httpd2-prefork",