Tested for Ubuntu 18.04
Using Logwatch and Logcheck. Logcheck to filter for important out of the order stuff on a daily basis Logwatch to give an overview weekly.
Install
apt-get install msmtp msmtp-mta
Config /etc/msmtprc
defaults
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
#logfile /home/USERNAME/.msmtp.log
account example
host mail.example.net
port 587
# Note that this is simply envelope-from, not the mail's "From" header
from user@example.net
auth on
user user@example.net
password SOMEPASSWORD
account default : example
aliases /etc/aliases
Forward "root" mail: /etc/aliases
replace everything with:
default: user@example.net
Test
echo "Test from msmtp" | msmtp someone@example.net
echo -e "Subject: I hope I receive this\nTest from sendmail" | sendmail root
Requires an MTA/SMTP: MSMTP
Install
apt-get install logcheck
Config /etc/logcheck/logcheck.conf
SENDMAILTO="logcheck@example.net"
Add some own filter rules
General ( /etc/logcheck/ignore.d.server/my-ignores-general
)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Accepted publickey for root
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by( authenticating user [[:alnum:]\-]+)? [[:xdigit:].:]+ port [[:digit:]:]+ \[preauth\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Disconnected from( (invalid|authenticating) user [._[:alnum:]-]+)? [[:xdigit:].:]+ port [[:digit:]]+( \[preauth\])?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Invalid user [._[:alnum:]-]+ from [[:xdigit:].:]+ port [[:digit:]:]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Received disconnect from [[:xdigit:].:]+ port [[:digit:]:]+ (disconnected by user|Bye Bye \[preauth\])$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Did not receive identification string from [[:xdigit:].:]+ port [[:digit:]:]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: User [._[:alnum:]-]+ not allowed because account is locked$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Started)? Cleanup of Temporary Directories(..)?.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: (Starting|Started)? Daily apt( download)? activities(..)?.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: apt-daily.timer: Adding [[:digit:]\. hmins]+ random time.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Reload(ed|ing) The Apache HTTP Server.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: message repeated [[:digit:]]+ times: \[ Reloading.\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:].]+\] systemd\[[[:digit:].]+\]: Detected (virtualization|architecture) .+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ kernel: \[[[:digit:].]+\] sh \([[:digit:]]+\): drop_caches: [[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dbus-daemon\[[[:digit:]]+\]: \[system\] Reloaded configuration$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dbus-daemon\[[[:digit:]]+\]: message repeated [[:digit:]]+ times: \[ \[system\] Reloaded configuration\]$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ 50-motd-news\[[[:digit:]]+\]:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fstrim\[[[:digit:]]+\]: /[[:alnum:]/]*: [[:digit:]\.]+ (Ki|Mi|Gi)?B \([[:digit:]]+ bytes\) trimmed$
# SNAPD?
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Start(ed|ing) Automatically refresh installed snaps\.(\.\.)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: Started Automatically refresh installed snaps.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ systemd\[[[:digit:]]+\]: snapd.refresh.timer: Adding ([[:digit:]]+h )?[[:digit:]]+min [[:digit:]\.]+s random time\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ snap\[[[:digit:]]+\]: No snaps are installed yet. Try 'snap install hello-world'\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ snap\[[[:digit:]]+\]: All snaps up-to-date\.$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ /usr/lib/snapd/snapd\[[[:digit:]]+\]: daemon.go:[[:digit:]]+: DEBUG:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ os-prober: debug: .+ (DOS extended partition; skipping|is active swap)$
Mail Server ( /etc/logcheck/ignore.d.server/my-ignores-mail
)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Login: user=
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Aborted login
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap-login: Disconnected
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([^\)]+\): Disconnected for inactivity in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([^\)]+\): Connection closed \(([[:upper:] ]+ (finished|running) [^\)]+|No commands sent)\)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([^\)]+\): Logged out in=[[:digit:]]+ out=[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([^\)]+\): Server shutting down. in=[[:digit:]]+ out=[[:digit:]]+
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([^\)]+\): sieve:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot:( message repeated [[:digit:]]+ times: \[)? indexer-worker\([^\)]+\): Indexed [[:digit:]]+ messages in [^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([[:digit:]]+\): Connect from local$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([^\)]+\): .+ stored mail into mailbox
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([[:digit:]]+\): Disconnect from local: Successful quit$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: managesieve-login: Disconnected \(no auth attempts in [[:digit:]]+ secs\)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max connection rate [1-5]/60s for \(smtpd:[[:xdigit:].:]+\) at \w{3} [ :[:digit:]]{11}$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max connection count [1-5] for \(smtpd:[[:xdigit:].:]+\) at \w{3} [ :[:digit:]]{11}$
#^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:xdigit:]]: milter-reject: .+ (Spam message rejected|Try again later)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/dnsblog\[[[:digit:]]+\]: addr [[:digit:]\.]+ listed by domain [^\ ]+ as [[:digit:]]\.]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/lmtp\[[[:digit:]]+\]: .+ status=sent
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: CONNECT from \[[[:xdigit:]\.\:]+\]:[[:digit:]]+ to \[[[:xdigit:]\.\:]+\]:[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: DISCONNECT \[[[:xdigit:]\.\:]+\]:[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: PASS (NEW|OLD) \[[[:xdigit:]\.\:]+\]:[[:digit:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: HANGUP after
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: cache btree:/var/lib/postfix/postscreen_cache full cleanup: retained=[[:digit:]]+ dropped=[[:digit:]]+ entries$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(/submission)?/smtpd\[[[:digit:]]+\]: disconnect from
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(/submission)?/smtpd\[[[:digit:]]+\]: warning: hostname [[:alnum:].-]+ does not resolve to address [[:xdigit:]:.]+(: Name or service not known)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix(/submission)?/smtpd\[[[:digit:]]+\]: SSL_accept error from
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/submission/smtpd\[[[:digit:]]+\]: connect from
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/submission/smtpd\[[[:digit:]]+\]: [[:xdigit:]]+: client=[[:alnum:]\-\.]+\[[[:xdigit:].:]+\], sasl_method=(PLAIN|LOGIN), sasl_username=[^[:space:]]+$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/submission/smtpd\[[[:digit:]]+\]: lost connection after [[:upper:]]+ from [[:alnum:].\-]+
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/submission/smtpd\[[[:digit:]]+\]: warning: [[:alnum:]\-\.]+\[[[:xdigit:]:.]+\]: SASL (PLAIN|LOGIN) authentication failed:( [[:alnum:]]+)?$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/submission/smtpd\[[[:digit:]]+\]: warning: non-SMTP command from
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [A-Z[:digit:]]+: DKIM-Signature field added \(s=key2016, d=[[:alnum:].-]+\)$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [A-Z[:digit:]]+: [^ ]+ \[[[:xdigit:].:]+\] not internal$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ opendkim\[[[:digit:]]+\]: [A-Z[:digit:]]+: not authenticated$
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([[:digit:]\-]+\) Passed CLEAN \{AcceptedOutbound\}, AM.PDP-SOCK/ORIGINATING LOCAL
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([[:digit:]\-]+\) Passed CLEAN \{AcceptedInbound\}, AM.PDP-SOCK
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([[:digit:]\-]+\) Passed CLEAN \{AcceptedInternal\}, AM.PDP-SOCK/ORIGINATING LOCAL
# POSTFIX: Blacklisted (DNSBL) Conneciton attempts
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: DNSBL rank [[:digit:]]+ for \[[[:digit:]\.]+\]:[[:digit:]]+$
# POSTFIX: PreGreet
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: PREGREET [[:digit:]]+ after [[:digit:]\.]+ from \[[[:digit:]\.]+\]:[[:digit:]]+:
# POSTFIX: Hostname/IP mismatch/unknown
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]: NOQUEUE: reject: RCPT from unknown\[[[:xdigit:].:]+\]: 450 4.7.25 Client host rejected: cannot find your hostname, \[[[:xdigit:].:]+\]; from=<[^> ]+> to=<[^> ]+> proto=ESMTP helo=<[^> ]+>$
# AMAVIS: SPAM
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: ([[:digit:]\-]+) Blocked SPAM {RejectedInbound},
# Rspamd
TeamSpeak ( /etc/logcheck/ignore.d.server/my-ignores-ts
)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ts3server\[[[:digit:]]+\]: ([[:digit:] .:-]+)|INFO
TODO
apt-get install logwatch