Logwatch without an MTA like Postfix
Logwatch is a log analysis tool for Linux based servers with the general gist being you get emailed reports when suspicious activity occurs. It does this by parsing your log files and looking for patterns that you can configure.
By default Logwatch will install Postfix MTA which is a little more heavy duty than I want on a web server, I would rather use a service like Mailgun as a smarthost. This essentially means all outgoing email from your app will be routed through Mailgun, giving you the ability to easily view logs and data on opens, bounces etc. We will configure it in such a way that it will only send email for localhost, it will not deliver anything locally and certainly wont be able to be used as a relay from a third party. To do this we will install and configure Exim as a simple relay.
These steps have only been tested with Ubuntu 12.04.
aptitude install exim4-daemon-light mailutils
You’ll be presented with a welcome screen, followed by a screen asking what type mail delivery you’d like to support. Choose the option for “mail sent by smarthost; no local mail” and select “Ok” to continue
Enter your system’s FQDN (fully qualified domain name) in the “mail name” configuration screen.
Enter “127.0.0.1” when asked which IP address to listen on for SMTP connections. The ::1 is for ipv6 so you may not need it.
List your FQDN, hostname, and localhost entries when you’re asked which destinations mail should be accepted for.
Since we are hiding the local mail name we must specify the domain name for local users.
Specify the smart host we are sending through.
As the server is not on a dial-up account we select No to keeping DNS queries minimal.
Don’t split configuration files.
We will authenticate to Mailgun SMTP servers so we need to add those details to “passwd.client”. Instead of the asterisk we could add the hostname of the SMTP server.
sudo nano /etc/exim4/passwd.client
Add a line like this.
Generate the certificate for Exim to use by running this and answering the prompts. This is so we can configure the server for TLS.
Add the following file so we can enable TLS.
sudo touch /etc/exim4/exim4.conf.localmacros sudo nano /etc/exim4/exim4.conf.localmacros
Add this line to the “localmacros” file. Restart Exim.
MAIN_TLS_ENABLE = 1 sudo /etc/init.d/exim4 restart
Test your configuration
echo "This is a test." | mail -s Testing email@example.com sudo cat /var/log/exim4/mainlog
To see what packages Logwatch depends on we can run the following.
aptitude show logwatch
Notice how in the “Depends” line it says “Depends: perl, postfix | mail-transport-agent”.
Well because Exim ‘implements’ mail-transport-agent it wont install postfix as a dependency.
Install Logwatch and edit its config.
sudo aptitude install logwatch sudo nano /usr/share/logwatch/default.conf/logwatch.conf
Update the config with these values.
Output = mail Format = html Mailto = firstname.lastname@example.org MailFrom = email@example.com Range = Yesterday Detail = 4 or Med (get long kernel messages)
By default the logwatch process will run as part of cron.daily which in Ubuntu 12.04 is 06:26AM.