Push Synology syslogs to Splunk

First let’s prepare Splunk to receive syslog messages

Click on Manager

Image may be NSFW.
Clik here to view.

Select “Data Inputs”

Image may be NSFW.
Clik here to view.

Click “Add New” for UDP

Image may be NSFW.
Clik here to view.

Enter the Port number (let’s use the standard 9998)

Image may be NSFW.
Clik here to view.

Select “syslog” as source type

Image may be NSFW.
Clik here to view.

Click “Save”

Login to the NAS and click on “System Information”

Image may be NSFW.
Clik here to view.

There you should see the model name in the second line – write it down

Image may be NSFW.
Clik here to view.

Click on “Control Panel”

Image may be NSFW.
Clik here to view.

And then on “Terminal”

Image may be NSFW.
Clik here to view.

Make sure “Enable SSH service” is checked

Image may be NSFW.
Clik here to view.

You can now quit the DSM.

Open this page and search for your Synology model

Image may be NSFW.
Clik here to view.

Then go to this page and look for your processor model

Image may be NSFW.
Clik here to view.

Copy the link location of the ssh file

Image may be NSFW.
Clik here to view.

Start a Terminal application and log into the NAS

ssh root@192.168.10.99

Type your admin password and reply with “yes” if needed (only the first time you connect)

You’re in…

Image may be NSFW.
Clik here to view.

Type wget and paste the link of the xsh file that you copied before and hit enter.

DiskStation> wget http://wizjos.endofinternet.net/synology/archief/syno-mvkw-bootstrap_1.2-7_arm-ds111.xsh

After the download is done, type

DiskStation> sh

(sh with a space) and then the TAB key

this should result in something like

DiskStation> sh syno-mvkw-bootstrap_1.2-7_arm-ds111

Hit enter and IPKH gets installed

Finally you’ll have to update the packages list, type

DiskStation>ipkg update

DiskStation>ipkg upgrade

Install the Nano text editor (if you master vi, you can skip this step, but you probably wouldn’t be here Image may be NSFW.
Clik here to view. . Type

DiskStation> ipkg install nano

Then install syslog-ng by typing

DiskStation> ipkg install syslog-ng

Open the configuration file by typing (you can speed this up this by using the TAB key to autocomplete)

DiskStation> nano /opt/etc/syslog-ng/syslog-ng.conf

Image may be NSFW.
Clik here to view.

Scroll down to the Destination Section and enter a new destination (put here the IP Address and Port of your Splunk server)

destination splunk { udp(“192.168.10.200″ port(9998)); };

Scroll down to the Log Section and enter a new log command (you can also use filters, but I prefer to do this in Splunk)

log { source(src); destination(splunk); };

Click

CTRL-O     (to save hit Enter)

CTRL-X      (to quit)

Start logging

Start Syslog by typing

syslog-ng

Check that there is a connection to your Splunk server by typing

netstat

You should see an entry for the connection to Splunk

Image may be NSFW.
Clik here to view.

Select Search

Image may be NSFW.
Clik here to view.

You should see the IP Address of the Synology NAS with a growing number of Events

Image may be NSFW.
Clik here to view.

If you click on the IP Address you apply a filter to see only messages from this host

Image may be NSFW.
Clik here to view.