:::: MENU ::::

Push Synology syslogs to Splunk

This article walks you through the steps that are needed to get the Log messages from your Synology NAS out and into a Splunk instance.

WEB Splunk









For the sake of simplicity I assume in this example that the IP address of the Synology NAS is and that the IP of the Server running is


[learn_more caption=”1) Prepare Splunk“]

First let’s prepare Splunk to receive syslog messages

Click on Manager

WEB Splunk1




Select “Data Inputs”

WEB Splunk1







Click “Add New” for UDP

WEB Splunk1





Enter the Port number (let’s use the standard 9998)

WEB Splunk






Select “syslog” as source type

WEB Splunk2





Click “Save”


[/learn_more] [learn_more caption=”2) Prepare your Synology NAS“]

Login to the NAS and click on “System Information”

WEB CoreStation2











There you should see the model name in the second line – write it down

WEB CoreStation2










Click on “Control Panel”

WEB CoreStation1










And then on “Terminal”

WEB CoreStation1











Make sure “Enable SSH service” is checked

WEB CoreStation1









You can now quit the DSM.


[/learn_more] [learn_more caption=”3) Get the Bootstrap“]

Open this page and search for your Synology model










Then go to this page and look for your processor model






Copy the link location of the ssh file










[/learn_more] [learn_more caption=”4) On to the Synology NAS“]

Start a Terminal application and log into the NAS

ssh root@

Type your admin password and reply with “yes” if needed (only the first time you connect)

You’re in…







[/learn_more] [learn_more caption=”5) Installing IPKG“]

Type wget and paste the link of the xsh file that you copied before and hit enter.

DiskStation> wget http://wizjos.endofinternet.net/synology/archief/syno-mvkw-bootstrap_1.2-7_arm-ds111.xsh

After the download is done, type

DiskStation> sh

(sh with a space) and then the TAB key

this should result in something like

DiskStation> sh syno-mvkw-bootstrap_1.2-7_arm-ds111

Hit enter and IPKH gets installed

Finally you’ll have to update the packages list, type

DiskStation>ipkg update

DiskStation>ipkg upgrade


[/learn_more] [learn_more caption=”6) Install the Packages “]

Install the Nano text editor (if you master vi, you can skip this step, but you probably wouldn’t be here ;-). Type

DiskStation> ipkg install nano

Then install syslog-ng by typing

DiskStation> ipkg install syslog-ng



[/learn_more] [learn_more caption=”7) Adapt the configuration“]

Open the configuration file by typing (you can speed this up this by using the TAB key to autocomplete)

DiskStation> nano /opt/etc/syslog-ng/syslog-ng.conf











Scroll down to the Destination Section and enter a new destination (put here the IP Address and Port of your Splunk server)

destination splunk { udp(“” port(9998)); };


Scroll down to the Log Section and enter a new log command (you can also use filters, but I prefer to do this in Splunk)

log { source(src); destination(splunk); };


CTRL-O     (to save hit Enter)

CTRL-X      (to quit)


Start logging

Start Syslog by typing



Check that there is a connection to your Splunk server by typing


You should see an entry for the connection to Splunk







[/learn_more] [learn_more caption=”Finally Using Splunk“]

Select Search

WEB Splunk





You should see the IP Address of the Synology NAS with a growing number of Events

WEB Splunk1









If you click on the IP Address you apply a filter to see only messages from this host

WEB Splunk












That’s it, enjoy.

See the Splunk website for more information.






Comments are closed.