Editing How to make your NAS a SYSLOG Server

This wiki gives step by step instructions on how to add SysLog Server functionality to your NAS by installing [http://www.balabit.com/network-security/syslog-ng/opensource-logging-system/ syslog-ng]. After completing this modification your NAS can log the System messages from other devices on your network (if they support send to SysLog Server functionality). If installed and configured as per this wiki, syslog-ng will not affect your NAS's internal system logging (klogd and syslogd) which will carry on working as normal. 

This wiki was written after making the modification to a DS-207+ and CS-407, it will almost certainly work on all other Synology models and firmware versions.

==What is a SysLog Server==
A SysLog Server is a networked device that receives and logs System messages from other networked devices. Many (but not all) network devices such as computers, routers, firewalls, and switches can be configured to send their System messages to the IP address and port of a SysLog Server.

==Should I be interested in Logging System Messages of other devices==   
This depends on: your desire and ability to post analyse System messages, the type of network devices you have, and the spare processing capability of your Synology NAS.

Most companies log system messages of the devices on their networks. The recorded SysLog data is often very important in diagnosing faults or identifying hackers attempts to breach network security. Large networks would normally have PC's dedicated as SysLog servers. This is because some devices such as a busy Web Server can produce 500,000+ system messages an hour, multiply this by many devices working 24/7 and the logging load on a SysLog server can be large.

At the other end of the scale, a home or SOHO router firewall may only produce 1,000-100,000 system messages a day.

As the processing power of Synology's NAS's varies significantly from old models to the latest, the amount of system messages they can receive and log as a SysLog Server also varies significantly. Having said that I believe all of Synology's old and current models should be able to log the messages from a single device such as a home/SOHO router. My CS407 and DS207+ comfortably cope with all of my SOHO routers system messages (firewall, status, etc) which amounts to about 70,000 messages per day. It does this whilst also doing everything else I ask of it, including streaming FLAC files, and running surveillance station at the same time. Obviously if you have an older model which only just copes with streaming music/video then asking it to act as a SysLog Server could significantly impact its ability to perform other tasks.

If acting as a SysLog Server adversely affects your NAS's performance it is easy to turn off this functionality or uninstall the software as detailed below.

==Assumptions==
The following is assumed;
*You have a Synology NAS and know how to log in to the management web page as "admin"
*You have a networked device which you want to record its System messages. Note: Ensure this device enables you to define a SysLog server IP address AND port number. Some devices don't support sending messages to a SysLog server (especially cheaper home routers), and some only allow you to define the servers IP address. You must be able to define both the IP address AND port number of the SysLog server for this mod to work.
*You know the IP address of your Synology NAS
*You have 1 hour spare to complete this wiki

Note: This modification gets syslog-ng to record received system messages to flat files, one file per day, named by date. Once you have seen how this modification works it is fairly simple to configure syslog-ng to record to a mysql database on the NAS, see the syslog-ng documentation for guidance.

==Overview of the Modification==
# Create a shared folder on your NAS called "logs" to store the received system log messages
# Install ipkg if you have not previously installed it
# Use ipkg to install syslog-ng
# Configure syslog-ng
# Start syslog-ng
# Configure your networked device to send its System messages to your NAS.


==The Process==
#Using an internet browser login to the Management webpage of your NAS as "admin"
#Create a shared folder called "logs" on volume1. You can place it on another volume if you want but from now on I will assume it is on volume1
#Set access permissions for the newly created "logs" folder as you require
#If you have not previously installed ipkg you will need to do so by following the instructions in [[Overview on modifying the Synology Server, bootstrap, ipkg etc#How_to_install_ipkg]]
#If you didn't follow the step above because you had previously installed ipkg, enable and then login into the [[Modifications|Command Line Interface]] as "root"
#Navigate to the root folder i.e. enter "cd /"
#Update the list of ipkg packages, i.e. enter "ipkg update"
#Install syslog-ng, i.e. enter "ipkg install syslog-ng"
#Configure syslog-ng using the [[Linux VI Editor]] to modify the file /opt/etc/syslog-ng/syslog-ng.conf, i.e. enter "vi /opt/etc/syslog-ng/syslog-ng.conf"
#Press the "i" key to enter the text insertion mode of vi, and then use the cursor keys to comment out all lines in this file by entering a "#" at the start of each line that does not already have a "#" at the start of it.
#Then copy and paste the code below (see the section "syslog-ng.conf code") at the end of the file.
#Press the escape key to quit the insertion mode of vi
#Type "ZZ" (note capital Z's) to save the changes and close vi.
#Close the [[Modifications|Command Line Interface]] session, i.e. enter “exit”.
#Use the Management web page to reboot the NAS
#Installation and configuration of syslog-ng is now complete and after rebooting the NAS syslog-ng will start automatically and monitor the defined port (49152) for System messages to log.
#You now need to configure your network device (e.g. your router) to send its System messages to your NAS. In your network devices “SysLog sending configuration page” (or equivalent) enter the IP address of your NAS and the relevant port number (49152).
===syslog-ng.conf code===
Below is the code to be copied and pasted into the file "/opt/etc/syslog-ng/syslog-ng.conf". All other lines in the file (i.e. all except those below) should be commented out, i.e. put a "#" at the start of each line.

The code below tells syslog-ng to monitor port 49152, this should be free unless you have already configured that port for something else. If you want to use another port you can change it but do not attempt to use port 514 as it is disabled by the internal syslogd.

The code below tells syslog-ng to create a new file for storing log messages every day, you can change the log file name if required, but beware of using a static name as the log file can grow too large if you do not have some method of clearing/rotating it.

<pre>

options { long_hostnames(off); sync(0); use_dns(no); create_dirs(no); };
source s_net { udp(port(49152) ); };
destination d_router { file("/volume1/logs/router_$YEAR.$MONTH.$DAY.log"); };
log { source(s_net); destination(d_router); };

</pre>

==Stopping Syslog-ng==
If you want to stop syslog-ng simply edit the file "/opt/etc/syslog-ng/syslog-ng.conf" and comment out the lines you pasted into it. Save the changes and then reboot the NAS. When syslog-ng starts, if the configuration is not valid it will abort starting. To re-enable syslog-ng, remove the comment marks (#'s) from the lines you pasted into the configuration file and reboot the NAS.

==Uninstalling Syslog-ng==
#Enable and then login into the [[Modifications|Command Line Interface]] as "root"
#Navigate to the root folder i.e. enter "cd /"
#Uninstall syslog-ng by entering "ipkg uninstall syslog-ng"
#When ipkg has finished uninstalling syslog-ng close the [[Modifications|Command Line Interface]] session.
#If you want too you can delete the files in the shared folder "logs" and then use the Management web page to remove the "logs" shared folder that you created.