You could change the 'Support Generic Syslog' setting to 'Log unknown' under the data source and it should show you any unparsed messages. From your screenshot it looks like you might have a few output format options on your device so you might want to try one of the other ones. You can post a sample for confirmation. Thanks.

Hello (for anyone else looking),

At the time of the orginal posting, Synology relase notes for the DSM version was 6.0.x. I am working with DSM 6.2.x and Log Center 1.1.x which looks the same as Professor_IS - Log Sending screenshot.

However, I normally use for ESM Data Source setting 'Support Generic Syslog: Log "unknown syslog" event' and get 'unknow event' in the SIEM.

Then using KB91898 - Writing Custom Parsing Rules in Enterprise Security Manager I have updated some ASP rules which I hope will be helpful.

Copy/paste and updated ASP rule which worked with DSM 4.3.* to "Synology_DSM User logged in (v6.2)". Regular Expression which uses the same Field Assignments Mapping etc:

(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+Connection:\s+User\s+\x5b([^\x5d]+)\x5d\s+from\s+\x5b([^\x5d]+)\x5d

Copy/paste and updated ASP rule which did not work with DSM 4.3.* to "Synology_DSM WinFileService Event (v6.2)". Regular Expression (adding File Folder and Size etc):

(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+WinFileService\s+\S*\s*Event\x3a\s+([^\x2c]+)\x2c\s+Path\x3a\s+(.+)(?:\s+\x2d\x3e\s+([^\x2c\s]+))?\x2c\s+File\x2fFolder\x3a\s+(\S+)\x2c\s+Size\x3a\s+(\S+)\s+(\S+)\x2c\s+User\x3a\s+([^\x2c]+)\x2c\s+IP\x3a\s*((?:\d{1,3}\x2e){3}\d{1,3})

Copy/paste and updated ASP rule to "Synology_DSM CIFS client accessed shared folder (v6.2)". This matches sample log in the Policy Editor but is not being parsed as yet into my SIEM. Regular Expression:

(\w+\s+\d+\s+\d+\x3a\d+\x3a\d+)\s+(\S+)\s+Connection:\s+User\s+\x5b([^\x28\s]+)\x5d\s+from\s+\x5b([^\x28\s]+)\(([^\x29]+)\)\x5d\s+via\s+\x5bCIFS\(SMB2\)\x5d\s+accessed\s+shared\s+folder\s+\x5b(\S+)\x5d\.

Cheers

Raph M1K