How to make your NAS a SYSLOG Server

From wiki
Revision as of 16:41, 31 January 2015 by imported>Johayek
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Note: As of DSM 3.0 Syslog-ng is part of the NAS firmware, and as of DSM 4.0 Syslog Server functionality is provided as an application. Hence if you have DSM3 see this wiki's discussion page for more information on how to access the built in syslog-ng. If you have DSM4 you may not need this wiki at all depending on exactly what you want to achieve.

This wiki gives step by step instructions on how to add SysLog Server functionality to your NAS by installing syslog-ng. After completing this modification your NAS can log the System messages from other devices on your network (if they support send to SysLog Server functionality). If installed and configured as per this wiki, syslog-ng will not affect your NAS's internal system logging (klogd and syslogd) which will carry on working as normal.

This wiki was written after making the modification to a DS-207+ and CS-407 running DSM2, it should work on all other Synology models and firmware versions.

What is a SysLog Server[edit]

A SysLog Server is a networked device that receives and logs System messages from other networked devices. Many (but not all) network devices such as computers, routers, firewalls, and switches can be configured to send their System messages to the IP address and port of a SysLog Server.

Should I be interested in Logging System Messages of other devices[edit]

This depends on: your desire and ability to post analyse System messages, the type of network devices you have, and the spare processing capability of your Synology NAS.

Most companies log system messages of the devices on their networks. The recorded SysLog data is often very important in diagnosing faults or identifying hackers attempts to breach network security. Large networks would normally have PC's dedicated as SysLog servers. This is because some devices such as a busy Web Server can produce 500,000+ system messages an hour, multiply this by many devices working 24/7 and the logging load on a SysLog server can be large.

At the other end of the scale, a home or SOHO router firewall may only produce 1,000-100,000 system messages a day.

As the processing power of Synology's NAS's varies significantly from old models to the latest, the amount of system messages they can receive and log as a SysLog Server also varies significantly. Having said that I believe all of Synology's old and current models should be able to log the messages from a single device such as a home/SOHO router. My CS407 and DS207+ comfortably cope with all of my SOHO routers system messages (firewall, status, etc) which amounts to about 70,000 messages per day. It does this whilst also doing everything else I ask of it, including streaming FLAC files, and running surveillance station at the same time. Obviously if you have an older model which only just copes with streaming music/video then asking it to act as a SysLog Server could significantly impact its ability to perform other tasks.

If acting as a SysLog Server adversely affects your NAS's performance it is easy to turn off this functionality or uninstall the software as detailed below.

How do I analyse System Message logs[edit]

As the number of messages received by a SysLog server can be large (as discussed above) it is very beneficial to a) only collect the data you might be interested in and then filter/sort/group that data as it is received, and then b) use some form of data filtering and grouping software to analyse the logged data.

Only collect the messages you are interested in[edit]

Most devices that send out System Messages to a SysLog server will allow you select the types of messages to be sent. For instance a router may enable you to individually select items like: firewall log, VPN Log, User Access Log, Call Log, WAN Log, Router/DSL log, etc.

However if the sending device does not provide sufficient control then syslog-ng provides many tools for processing messages on receipt. syslog-ng enables you to set criteria for messages to be droped (not logged) or if they are to be kept you can set criteria for them to be stored in various specific log files. See the syslog-ng documentation for how to do this.

Software to help analyse logged messages[edit]

There are many packages to do this, my personal favourite is Splunk!. For home type use it is free. Splunk is very powerful and can also turn your PC into a SysLog Server (if your PC is on 24/7 then consider using splunk! for all your needs rather than using your NAS as the SysLog Server). Whether your PC or your NAS is the SysLog server, Splunk! provides very comprehensive filtering and analysis tools for analysing SysLog data.

Assumptions[edit]

The following is assumed;

  • You have a Synology NAS and know how to log in to the management web page as "admin"
  • You have a networked device which you want to record its System messages. Note: Ensure this device enables you to define a SysLog server IP address AND port number. Some devices don't support sending messages to a SysLog server (especially cheaper home routers), and some only allow you to define the servers IP address. You must be able to define both the IP address AND port number of the SysLog server for this mod to work.
  • You know the IP address of your Synology NAS
  • You have 1 hour spare to complete this wiki

Note: This modification gets syslog-ng to record received system messages to flat files, one file per day, named by date. Once you have seen how this modification works it is fairly simple to configure syslog-ng to record to a mysql database on the NAS, see the syslog-ng documentation for guidance.

Overview of the Modification[edit]

NOTE: The Syslog-ng binary is included with DSM 3.0 (FW 1337). If you have DSM 3.0 you can skip the installation of ipkg and syslog-ng below, see this wiki's discussion page for more information

  1. Create a shared folder on your NAS called "logs" to store the received system log messages
  2. Install ipkg if you have not previously installed it
  3. Use ipkg to install syslog-ng
  4. Configure syslog-ng
  5. Start syslog-ng
  6. Configure your networked device to send its System messages to your NAS.


The Process[edit]

NOTE: The Syslog-ng binary is included with DSM 3.0 (FW 1337). If you have DSM 3.0 you can skip the installation of ipkg and syslog-ng below, see this wiki's discussion page for more information

  1. Using an internet browser login to the Management webpage of your NAS as "admin"
  2. Create a shared folder called "logs" on volume1. You can place it on another volume if you want but from now on I will assume it is on volume1
  3. Set access permissions for the newly created "logs" folder as you require
  4. If you have not previously installed ipkg you will need to do so by following the instructions in Overview on modifying the Synology Server, bootstrap, ipkg etc#How_to_install_ipkg
  5. If you didn't follow the step above because you had previously installed ipkg, enable and then login into the Command Line Interface as "root"
  6. Navigate to the root folder i.e. enter "cd /"
  7. Update the list of ipkg packages, i.e. enter "ipkg update"
  8. Install syslog-ng, i.e. enter "ipkg install syslog-ng"
  9. Configure syslog-ng using the Linux VI Editor to modify the file /opt/etc/syslog-ng/syslog-ng.conf, i.e. enter "vi /opt/etc/syslog-ng/syslog-ng.conf"
  10. Press the "i" key to enter the text insertion mode of vi, and then use the cursor keys to comment out all lines in this file by entering a "#" at the start of each line that does not already have a "#" at the start of it.
  11. Then copy and paste the code below (see the section "syslog-ng.conf code") at the end of the file.
  12. Press the escape key to quit the insertion mode of vi
  13. Type "ZZ" (note capital Z's) to save the changes and close vi.
  14. Close the Command Line Interface session, i.e. enter “exit”.
  15. Use the Management web page to reboot the NAS
  16. Installation and configuration of syslog-ng is now complete and after rebooting the NAS syslog-ng will start automatically and monitor the defined port (49152) for System messages to log.
  17. You now need to configure your network device (e.g. your router) to send its System messages to your NAS. In your network devices “SysLog sending configuration page” (or equivalent) enter the IP address of your NAS and the relevant port number (49152).

syslog-ng.conf code[edit]

Below is the code to be copied and pasted into the file "/opt/etc/syslog-ng/syslog-ng.conf". All other lines in the file (i.e. all except those below) should be commented out, i.e. put a "#" at the start of each line.

The code below tells syslog-ng to monitor port 49152 for UDP packets, this port should be free unless you have already configured that port for something else. If you want to use another port you can change it but do not attempt to use port 514 as it is disabled by the internal syslogd. Also if the device sending the Syslog data only supports TCP packets then you may need to change that, see this wiki's discussion page for more info.

The log files created by the code below will have the "owner" file permission set to "root", if for scripting reasons you need the log files to belong to specific owners/groups, how to control this is also stated on this wiki's discussion page.

The code below tells syslog-ng to create a new file for storing log messages every day, you can change the log file name if required, but beware of using a static name as the log file can grow too large if you do not have some method of clearing/rotating it.


options { long_hostnames(off); sync(0); use_dns(no); create_dirs(no); };
source s_net { udp(port(49152) ); };
destination d_router { file("/volume1/logs/router_$YEAR.$MONTH.$DAY.log"); };
log { source(s_net); destination(d_router); };

Stopping Syslog-ng[edit]

If you want to stop syslog-ng simply edit the file "/opt/etc/syslog-ng/syslog-ng.conf" and comment out the lines you pasted into it. Save the changes and then reboot the NAS. When syslog-ng starts, if the configuration is not valid it will abort starting. To re-enable syslog-ng, remove the comment marks (#'s) from the lines you pasted into the configuration file and reboot the NAS.

Uninstalling Syslog-ng[edit]

  1. Enable and then login into the Command Line Interface as "root"
  2. Navigate to the root folder i.e. enter "cd /"
  3. Uninstall syslog-ng by entering "ipkg uninstall syslog-ng"
  4. When ipkg has finished uninstalling syslog-ng close the Command Line Interface session.
  5. If you want too you can delete the files in the shared folder "logs" and then use the Management web page to remove the "logs" shared folder that you created.