Comment 5 for bug 116773

In /etc/logcheck/ignore.d.server/syslogd, there is already a regular expression to match these sorts of things:

^\w{3} [ :0-9]{11} [._[:alnum:]-]+ syslogd [.0-9]{5}#[0-9]+: restart \(remote reception\)\.$

However, as the original poster points out, this regular expression does not actually work on Ubuntu (firstly, because Ubuntu packages have 'ubuntu' in the version number, which is not matched by the '[0-9]+' in the regex, and secondly because "remote reception" is not included in the restart message).

Saying that this behaviour is intentional can't be right - why is there a (broken) regex in /etc/logcheck/ignore.d.server/syslogd if it is intentional to report these lines?

I see Daniel Holback's point that you might want to be notified if somebody manages to shut syslog down. When syslog is intentionally shutdown, however, the "exiting on signal 15" message occurs - this can be reported. When syslog routinely restarts, there is no 'signal 15' message, just the 'restart' message, which should be ignored. This way, we can catch the strange events and ignore the routine ones.

Chris Wagner is right that reporting routine operations leads to mindlessly deleting logcheck messages because we know they are not important - this is what logcheck is trying to avoid.