What Exactly Do These "Kernel Audit" Entries in Logwatch Report Mean?
This is part of the linux audit framework. See here https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h For example, 1702 and 1302 means:
1702 /* Suspicious use of file links */
1302 /* Filename path information */
For the Unmatched Entries you need to look at your specific settings in logwatch.conf and audit.conf
For example, let's look at what this one means.
audit: type=1702 audit(1501125815.715:26): op=linkat ppid=24321 pid=24322 auid=1004 uid=1004 gid=1005 euid=1004 suid=1004 fsuid=1004 egid=1005 sgid=1005 fsgid=1005 tty=(none) ses=4404 comm="sshd" exe="/usr/sbin/sshd" res=0
This is "Suspicious use of file links" for user id 1004. So you need to check which user is that. It is referring to the "linkat" operation which is a linux system function and this was invoked by sshd. The audit flagged this as suspicious (note that it didn't deny or block). So something in your system is running the sys call linkat (which basically creates a new file name but I am not that familiar with this call).