cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Synology Disk Station Logs

Hello friends.

Does anybody encountered with the issues of Synology Disk Station Logs.

I have created data source in SIEM of my Synology Disk Station in SIEM.

SIEM settings1.png

In Disk Station Manager I configured logs sending to SIEM via 514 port. I tried both TCP and UDP protocols.

DS settings.png

Unfortunately no logs captured in SIEM Dashboard view.

2 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Synology Disk Station Logs

You could change the 'Support Generic Syslog' setting to 'Log unknown' under the data source and it should show you any unparsed messages. From your screenshot it looks like you might have a few output format options on your device so you might want to try one of the other ones. You can post a sample for confirmation. Thanks.

Highlighted

Re: Synology Disk Station Logs

 

Hello (for anyone else looking),

At the time of the orginal posting, Synology relase notes for the DSM version was 6.0.x. I am working with DSM 6.2.x and Log Center 1.1.x which looks the same as Professor_IS - Log Sending screenshot.

However, I normally use for ESM Data Source setting 'Support Generic Syslog: Log "unknown syslog" event' and get 'unknow event' in the SIEM.

Then using KB91898 - Writing Custom Parsing Rules in Enterprise Security Manager I have updated some ASP rules which I hope will be helpful.

Copy/paste and updated ASP rule which worked with DSM 4.3.* to "Synology_DSM User logged in (v6.2)". Regular Expression which uses the same Field Assignments Mapping etc:

(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+Connection:\s+User\s+\x5b([^\x5d]+)\x5d\s+from\s+\x5b([^\x5d]+)\x5d

Copy/paste and updated ASP rule which did not work with DSM 4.3.* to "Synology_DSM WinFileService Event (v6.2)". Regular Expression (adding File Folder and Size etc):

(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+WinFileService\s+\S*\s*Event\x3a\s+([^\x2c]+)\x2c\s+Path\x3a\s+(.+)(?:\s+\x2d\x3e\s+([^\x2c\s]+))?\x2c\s+File\x2fFolder\x3a\s+(\S+)\x2c\s+Size\x3a\s+(\S+)\s+(\S+)\x2c\s+User\x3a\s+([^\x2c]+)\x2c\s+IP\x3a\s*((?:\d{1,3}\x2e){3}\d{1,3})

Copy/paste and updated ASP rule to "Synology_DSM CIFS client accessed shared folder (v6.2)". This matches sample log in the Policy Editor but is not being parsed as yet into my SIEM. Regular Expression:

(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+Connection:\s+User\s+\x5b([^\x28\s]+)\x5d\s+from\s+\x5b([^\x28\s]+)\(([^\x29]+)\)\x5d\s+via\s+\x5bCIFS\(SMB2\)\x5d\s+accessed\s+shared\s+folder\s+\x5b(\S+)\x5d\.

 

 

Cheers

Raph M1K

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community