Logcheck Debian 9

Debian Stretch logcheck additions to the default rules:

bind:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: received control channel command 'stats'$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ named\[[[:digit:]]+\]: dumpstats complete$

kernel:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel:( \[ *[[:digit:]]+\.[[:digit:]]+\])? conntrack: generic helper won't handle protocol 47\. Please consider loading the specific helper module\.$

ntp:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ntpd\[[0-9]+\]: receive: KoD packet from ([.0-9]{7,15}|[0-9a-fA-F:.]{4,39}) has inconsistent xmt/org/rec timestamps\.  Ignoring\.$

su:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]: pam_systemd\(su:session\): Cannot create session: Already running in a session$

systemd:
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Reloading|Reloaded) The Apache HTTP Server\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG cryptographic agent \(access for web browsers\)\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG network certificate management daemon\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG cryptographic agent \((ssh-agent emulation|access for web browsers)\)\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Listening on|Closed) GnuPG cryptographic agent and passphrase cache( \(restricted\))?\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Startup finished in [0-9]+ms\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: [-_[:alnum:]]+.timer: Adding ([0-9]+h )?([0-9]{1,2}min )?[0-9]{1,3}\.[0-9]{3}ms random time\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: (Created|Removed) slice User Slice of [-_.[:alnum:]]+\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd: pam_unix\(systemd-user:session\): session (opened|closed) for user [-_.[:alnum:]]+( by \(uid=0\))?$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: Received SIGRTMIN\+24 from PID [0-9]+ \(kill\)\.$
^[[:alpha:]]{3} [ :[:digit:]]{11} [._[:alnum:]\-]+ systemd\[[0-9]+\]: user@[0-9]+\.service: Killing process [0-9]+ \(kill\) with signal SIGKILL\.

systemd-login:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: New session [[:digit:]]+ of user [-_.[:alnum:]]+\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd-logind\[[[:digit:]]+\]: Removed session [[:digit:]]+\.$

rsyslog:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ liblogging-stdlog:  \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="http://www.rsyslog.com"\] rsyslogd was HUPed$