A Python monitor that runs on your server, checks 12 things every 4 hours, and only contacts you when something needs attention. Tap a notification on your phone and the security update installs itself. No SSH session. We set it all up for you.
Get it deployed: admin@belikebee.com
Twelve checks, all built on standard Linux tools you already trust โ
apt, systemctl, openssl, dig,
fail2ban-client, AIDE. One systemd timer runs them every four hours.
No agents, no SaaS dependency, no telemetry โ nothing leaves the box unless you
explicitly point a reporter at it.
-security suite.
CRITICAL on security
MemAvailable from /proc/meminfo.
WARN <500 MB
systemctl is-active for every unit you mark critical.
CRITICAL if down
:latest โ flags stale containers.
INFO if outdated
/etc, /usr, /bin โ flags tampering with system binaries and configs.
CRITICAL on changes
One Python file per check: a clean, auditable codebase. Need a check that is specific to your setup? We add it for you as part of the service.
Every channel runs side by side and shares one state โ snooze a check on the mobile app and Telegram stops pinging you about it too. Pick the channel that fits the moment.
/runnow, /status, /clearignoresSECURITY: opensslSECURITY: libssl3
Telegram bot โ the same action buttons reach the mobile app as push notifications.
Self-hosted web dashboard at api.watchlog.pl โ one tab for every server you run.
Native Flutter app โ pair with one QR scan, fix things straight from the lock screen.
watchlog detects; unattended-upgrades applies. Both are battle-tested,
both ship with Ubuntu, both run as systemd timers. Wire them together once and the
loop closes itself โ from Ubuntu releasing a security patch to your box being fully
updated, with one one-time setup and no SSH afterwards.
New package appears in the -security suite. Mirrors usually sync within 30 minutes.
apt list --upgradable-security suite/status.json heartbeat updated for external monitorsThe daemon runs unattended-upgrade -v, command output comes straight back to chat or to the mobile app, and the action is written to the audit log. From your couch, in seconds, with biometric confirmation on the app side.
-security suiteWorst severity drops back to OK or INFO. The alert thread closes itself. No follow-up emails, no daily-digest spam.
Every action the Telegram bot and the mobile app perform sits behind a documented FastAPI endpoint. Bind the daemon to localhost, terminate TLS with your existing nginx or Caddy, and integrate watchlog with anything that can speak HTTP. Full OpenAPI / Swagger docs live next to the API itself.
read and actsudo watchlog api qr on the serverGET /api/v1/health
GET /api/v1/status
age_seconds. Structured metrics per check (status.json v2).GET /api/v1/host
GET /api/v1/checks/info
GET /api/v1/reports[/{date}]
POST /api/v1/runs
watchlog run; returns combined output.POST /api/v1/state/{snooze,ignore}
POST /api/v1/actions/apply-security
unattended-upgrade -v. Whitelisted command; never arbitrary shell.POST /api/v1/actions/restart-service
{"service": "nginx"}. Audit-logged.POST /api/v1/actions/reboot
shutdown -r +1 when enabled โ 60-second abort window.POST /api/v1/actions/logs
journalctl lines for a whitelisted unit. Read-only.GET /api/v1/actions
GET ยท PATCH /api/v1/push/preferences
POST /api/v1/pair
watchlog api qr for a per-device token. No auth, rate-limited.GET /api/v1/audit
Roughly 25 endpoints in total. Full schema is browsable at api.watchlog.pl/docs (Bearer token required).
watchlog runs on a server, executes commands as root, and talks to your phone โ so the security model matters more than the features. Every default is the safe one; every dangerous endpoint is off until you switch it on.
The API daemon listens on localhost only, never directly to the internet. Outside connections come through encrypted TLS on the reverse proxy in front of it.
Every paired phone gets its own token. Lose a device, run watchlog api tokens revoke tok_xxx โ the other devices keep working.
Plaintext token is shown once at issuance and never again. The daemon stores only the hash.
The QR contains a 6-character single-use code (not the token). 5-minute expiry, lock-out after 3 failed attempts. The real token travels once during redemption.
Every auth, pair, token-issue, token-revoke, and action lands in /var/log/watchlog/audit.log as JSON. The mobile app surfaces it; nothing is hidden.
Restart-service, apply-security, tail-logs, reboot โ each is a fixed command list the operator opts into. No arbitrary shell.
The bot accepts callbacks only from the chat_id you configured. Anything else is silently rejected and logged.
Optional Face ID / fingerprint / device PIN gate on mobile. Android FLAG_SECURE hides content from screenshots and task switcher. Tokens live in Keystore / Keychain.
Mobile app exports server list + tokens + preferences to a passphrase-encrypted blob (AES-256-GCM, PBKDF2 600k). Restore on a new phone without re-pairing.
No crash reports, no usage stats leave the device until you turn them on in Settings. No tokens, hostnames, or personal data are ever collected.
watchlog has no cloud component. Every check runs locally; only reporters you enable (Telegram, email, FCM) emit anything outward.
Roughly 4k lines of Python, readable end to end. No license keys, no calls home, no hidden cloud component.
Yes. The phone app never sends a command for the server to run. It only tells the server which button you pressed, and the server already knows exactly what it is allowed to do. There is no way to append or slip in a command of your own.
The phone only picks from a fixed list of actions you approved in advance: install security updates, restart a named service, show logs. Anything outside that list is simply refused and written to the audit log.
Every action needs your device's own private key (lose the phone and you revoke its access with one command), the connection is encrypted, and the service is never exposed to the open internet. In the worst case, someone holding your phone could at most tap the same safe buttons you can. They cannot get into the server or run anything off the list.
watchlog is not a download. We deploy and run it for you as a managed service. Installation, check configuration, Telegram, push notifications and the mobile app are all handled on our side, so you never touch a config file or a systemd unit.
Write to admin@belikebee.com and tell us what you want monitored. We scope it to your infrastructure and reply with the next steps.
We install watchlog on your server, wire up the checks, notification channels and the API, and run the first check together with you.
Once it is live you pair the mobile app and start receiving alerts. For any change or an extra server, just reach out to admin@belikebee.com.