Encrypted system logs to gmail using logcheck/procmail/gpg

It's always a good idea to keep external system logs in case something happens to your server, for example, if it gets rooted. Privacy issues are a good reason to keep the logs encrypted. This is a quick look at how to send system logs hourly to Gmail (or some other external mail) from a Debian server. It also assumes quite a bit of knowledge from the reader, sorry for that ;-)

First of all, you need to have a working mail server, properly set up GPG key and procmail.

  • After logcheck has been installed, make sure /etc/aliases forwards "logcheck" to your normal user, eg. "logcheck: root" and "root: user"
  • In your \~/.procmailrc, add the following rule:
SUBJECT=`formail -xSubject:`
:0 c

* ^To: logcheck@yourhostname
| gpg --armor -r yourkey -e |mail -s "$SUBJECT" you@gmail.com

This will clone and pipe the whole mail (including headers) to gpg, and then send it to your gmail or other e-mail address. A local copy will be kept as well (you can remove the "c" if you don't want to keep it). If you use Gmail, you may want to create a new filter for the messages that skips the inbox and labels them with "logs" or something similar. At least icedove/thunderbird with the enigmail extension will now prompt you for a password to view these mails.