logcheck in dapper+hardy reports normal syslog restarts

Thanks for your bug report. I'm not sure that this might not be of interest. If somebody managed to stop the syslog and start if some time later again it might well be a problem, but as I'm no member of the server team, there might a more relevant opinion on the matter.

Even if it gets accepted, I'm not sure we can get the patch easily into Dapper. Read http://wiki.ubuntu.com/StableReleaseUpdates

Thank you for the quick reply. I see the point in your argument but can add that this event is not reported in Debian or other distributions I had so far. If it's a wanted feature I can live with that, than you'd prolly add an example on how to prevent this event from being reported to the documentation.

This is not a bug, but a feature. And it is reported in other distributions.

Debian:

Jun 20 06:33:12 master syslogd 1.4.1#17: restart.

RedHat:

Jun 17 04:03:14 localhost syslogd 1.4.1: restart.

I would suggest rejecting this bug since restart of syslog of very valuable information, not a bug.

Why, though, would you want logcheck to report a routine operation? Anything that is routine will become continually more mindless; it will train me to ignore it. And, then I will naturally give a little less thought to all logcheck emails.

I'm not proposing this log message not be displayed in the log files, but only that it be filtered out from logcheck notifications. (And that seems to be what the original reporter was suggesting.)

In /etc/logcheck/ignore.d.server/syslogd, there is already a regular expression to match these sorts of things:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd [.0-9]{5}#[0-9]+: restart \(remote reception\)\.$

However, as the original poster points out, this regular expression does not actually work on Ubuntu (firstly, because Ubuntu packages have 'ubuntu' in the version number, which is not matched by the '[0-9]+' in the regex, and secondly because "remote reception" is not included in the restart message).

Saying that this behaviour is intentional can't be right - why is there a (broken) regex in /etc/logcheck/ignore.d.server/syslogd if it is intentional to report these lines?

I see Daniel Holback's point that you might want to be notified if somebody manages to shut syslog down. When syslog is intentionally shutdown, however, the "exiting on signal 15" message occurs - this can be reported. When syslog routinely restarts, there is no 'signal 15' message, just the 'restart' message, which should be ignored. This way, we can catch the strange events and ignore the routine ones.

Chris Wagner is right that reporting routine operations leads to mindlessly deleting logcheck messages because we know they are not important - this is what logcheck is trying to avoid.

I see this on hardy LTS as well.

This bug was fixed in the package logcheck - 1.3.5ubuntu1

---------------
logcheck (1.3.5ubuntu1) lucid; urgency=low

  * rulefiles/linux/ignore.d.paranoid/cron: make /usr/sbin/ optional in
    pathnames to cron; apparently a difference between syslog and rsyslog;
    LP: #463471.
  * rulefiles/linux/ignore.d.paranoid/sysklogd: more specific matching of
    upstream version and optional Debian/Ubuntu revision (DEBRELEASE), also
    allow all allowed chars in revision fixes matching of Ubuntu versions;
    LP: #116773.
 -- Loic Minier <email address hidden> Thu, 21 Jan 2010 23:09:45 +0100

I don't get the "exiting on signal 15" one.