Hello friends.
Does anybody encountered with the issues of Synology Disk Station Logs.
I have created data source in SIEM of my Synology Disk Station in SIEM.
In Disk Station Manager I configured logs sending to SIEM via 514 port. I tried both TCP and UDP protocols.
Unfortunately no logs captured in SIEM Dashboard view.
You could change the 'Support Generic Syslog' setting to 'Log unknown' under the data source and it should show you any unparsed messages. From your screenshot it looks like you might have a few output format options on your device so you might want to try one of the other ones. You can post a sample for confirmation. Thanks.
Hello (for anyone else looking),
At the time of the orginal posting, Synology relase notes for the DSM version was 6.0.x. I am working with DSM 6.2.x and Log Center 1.1.x which looks the same as Professor_IS - Log Sending screenshot.
However, I normally use for ESM Data Source setting 'Support Generic Syslog: Log "unknown syslog" event' and get 'unknow event' in the SIEM.
Then using KB91898 - Writing Custom Parsing Rules in Enterprise Security Manager I have updated some ASP rules which I hope will be helpful.
Copy/paste and updated ASP rule which worked with DSM 4.3.* to "Synology_DSM User logged in (v6.2)". Regular Expression which uses the same Field Assignments Mapping etc:
(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+Connection:\s+User\s+\x5b([^\x5d]+)\x5d\s+from\s+\x5b([^\x5d]+)\x5d
Copy/paste and updated ASP rule which did not work with DSM 4.3.* to "Synology_DSM WinFileService Event (v6.2)". Regular Expression (adding File Folder and Size etc):
(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+WinFileService\s+\S*\s*Event\x3a\s+([^\x2c]+)\x2c\s+Path\x3a\s+(.+)(?:\s+\x2d\x3e\s+([^\x2c\s]+))?\x2c\s+File\x2fFolder\x3a\s+(\S+)\x2c\s+Size\x3a\s+(\S+)\s+(\S+)\x2c\s+User\x3a\s+([^\x2c]+)\x2c\s+IP\x3a\s*((?:\d{1,3}\x2e){3}\d{1,3})
Copy/paste and updated ASP rule to "Synology_DSM CIFS client accessed shared folder (v6.2)". This matches sample log in the Policy Editor but is not being parsed as yet into my SIEM. Regular Expression:
(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+Connection:\s+User\s+\x5b([^\x28\s]+)\x5d\s+from\s+\x5b([^\x28\s]+)\(([^\x29]+)\)\x5d\s+via\s+\x5bCIFS\(SMB2\)\x5d\s+accessed\s+shared\s+folder\s+\x5b(\S+)\x5d\.
Cheers
Raph M1K
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA