I'd love to see the ability to log certain events, mainly logins (and failed login attempts, but that may be better rate limited since brute force attacks can be, well, brutal). Being able to configure an email server seems like it should be easy (just prompt the customer to provide their own SMTP login information), but better would be the ability to also send webhooks to key services like Slack, Discord, and Teams (enter the webhook URL).
Ideally I care about the following messages:
- Successful login registered via web or SSH (including username, source IP, and service (SSH vs. Web)
- XX Failed Login Attempts over the past 5 minutes (source IP may be useful)
- Firmware update available
- Firmware updated
- System rebooted
The idea is my use case is as an emergency backup if I lose SSH access to one of my servers, so it should be idle most of the time. If I see an unexpected login I'd probably want to investigate it. I know I can probably use /etc/profile.d to handle SSH, but I don't think I can easily monitor web logins.
As always, I'm happy to help with design or implementation details!