watchlog — server health & security monitor

01.What makes watchlog different

🔒

Security-first

APT security updates flagged as critical. IP blacklists checked daily. SSH brute-force tracked.

🤫

No spam

Email only when something is actually wrong. Configurable severity threshold per channel.

🧩

Pluggable

One file per check, one file per reporter. Add your own without touching the core.

⚡

Zero-dep checks

Each check uses standard tools (apt, systemctl, openssl, dig). Nothing exotic to install.

📨

Multi-channel

Email today, Telegram bot with action buttons next, mobile app via REST API later.

📋

Audit trail

Every run archived as JSON in /var/log/watchlog/ for retro debugging.

02.What it checks (out of the box)

apt_updates Counts upgradable packages, escalates security ones to critical. CRITICAL on security

ssl_certs Let's Encrypt cert expiry across all live certs. WARN <30d

disk_space Filesystem usage per mount, ignoring tmpfs/snap. WARN >80%

memory MemAvailable from /proc/meminfo. WARN <500MB

services systemctl is-active for configured critical services. CRITICAL if down

docker_images Local digest vs registry :latest digest. INFO if outdated

ip_blacklist Spamhaus, Barracuda, SpamCop, SORBS lookup. CRITICAL if listed

dns_records SPF/DKIM/DMARC/MX/A presence regression check. CRITICAL if missing

ssh_brute Failed SSH logins in last 24h, ranked by source IP. WARN >threshold

03.How it works in practice

watchlog only detects and notifies. To actually apply security patches automatically, pair it with unattended-upgrades (Ubuntu's built-in tool, often disabled by default). Together they give you end-to-end automated security with no SSH session needed.

Typical security update — start to finish

14:00 UTC

Ubuntu releases security update

The new package appears in the -security suite. Hetzner / your mirror syncs it within ~30 min.

16:00 UTC (max +4h)

watchlog runs (every 4 hours)

Detects the security update via apt list --upgradable
Escalates to CRITICAL severity (security suite)
Emails you: "1 security update available"
Updates /status.json heartbeat

06:00 UTC next day

unattended-upgrades runs (daily)

Installs only packages from -security suite
Reboots automatically if a kernel update needs it (default 03:30, won't reboot if users are logged in)
Emails you: "Successfully installed: php8.3-fpm"

08:00 UTC

watchlog runs again

Confirms the security update is gone. Worst severity drops back to OK or INFO. No more emails.

Total time-to-patch: ~16 hours from Ubuntu release to fully patched, fully automatic. No SSH session needed.

Two cooperating timers

watchlog.timer

every 4 hours · 00, 04, 08, 12, 16, 20 UTC

Detects + notifies

📧 email when WARN/CRITICAL
📋 /status.json heartbeat
📁 /var/log/watchlog/*.json

apt-daily-upgrade.timer

daily ~06:00 UTC

Installs security updates

📧 email on change
🔁 reboot if kernel update
📁 /var/log/unattended-upgrades/

04.Get started in 5 minutes

Install

pip install git+https://github.com/Belikebee1/watchlog.git

Configure

sudo mkdir -p /etc/watchlog
sudo curl -o /etc/watchlog/config.yaml \
  https://raw.githubusercontent.com/Belikebee1/watchlog/main/config.example.yaml
sudo $EDITOR /etc/watchlog/config.yaml

Run once to verify

sudo watchlog run

Enable systemd timer

# Default: every 4 hours (00, 04, 08, 12, 16, 20 UTC)
sudo watchlog install
systemctl list-timers watchlog

Pair with unattended-upgrades (recommended)

# Already preinstalled on Ubuntu — just enable security auto-install:
echo 'APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";' | sudo tee /etc/apt/apt.conf.d/20auto-upgrades

# Set notification email
sudo sed -i 's|//Unattended-Upgrade::Mail "";|Unattended-Upgrade::Mail "you@example.com";|' \
    /etc/apt/apt.conf.d/50unattended-upgrades

# Verify
systemctl list-timers apt-daily-upgrade watchlog

05.Roadmap

✅

v0.1 — Released

9 checks, stdout/email/JSON reporters, systemd installer.

🤖

v0.2 — Telegram

Interactive notifications with Apply / Postpone / Ignore buttons. Long-polling, no webhook needed.

📱

v0.3 — REST API + dashboard

FastAPI daemon, web UI for checking history, action endpoints for mobile clients.

🛡️

v0.4 — More checks

fail2ban stats, open ports baseline diff, file integrity (AIDE), CVE matching.