:::: MENU ::::

Push Synology syslogs to Splunk

This article walks you through the steps that are needed to get the Log messages from your Synology NAS out and into a Splunk instance.

WEB Splunk

 

 

 

 

 

 

 

 

For the sake of simplicity I assume in this example that the IP address of the Synology NAS is 192.168.10.99 and that the IP of the Server running is 192.168.10.200

 

[learn_more caption=”1) Prepare Splunk“]

First let’s prepare Splunk to receive syslog messages

Click on Manager

WEB Splunk1

 

 

 

Select “Data Inputs”

WEB Splunk1

 

 

 

 

 

 

Click “Add New” for UDP

WEB Splunk1

 

 

 

 

Enter the Port number (let’s use the standard 9998)

WEB Splunk

 

 

 

 

 

Select “syslog” as source type

WEB Splunk2

 

 

 

 

Click “Save”

 

[/learn_more] [learn_more caption=”2) Prepare your Synology NAS“]

Login to the NAS and click on “System Information”

WEB CoreStation2

 

 

 

 

 

 

 

 

 

 

There you should see the model name in the second line – write it down

WEB CoreStation2

 

 

 

 

 

 

 

 

 

Click on “Control Panel”

WEB CoreStation1

 

 

 

 

 

 

 

 

 

And then on “Terminal”

WEB CoreStation1

 

 

 

 

 

 

 

 

 

 

Make sure “Enable SSH service” is checked

WEB CoreStation1

 

 

 

 

 

 

 

 

You can now quit the DSM.

 

[/learn_more] [learn_more caption=”3) Get the Bootstrap“]

Open this page and search for your Synology model

Firefox1

 

 

 

 

 

 

 

 

Then go to this page and look for your processor model

Firefox1

 

 

 

 

Copy the link location of the ssh file

Firefox1

 

 

 

 

 

 

 

 

[/learn_more] [learn_more caption=”4) On to the Synology NAS“]

Start a Terminal application and log into the NAS

ssh root@192.168.10.99

Type your admin password and reply with “yes” if needed (only the first time you connect)

You’re in…

Terminal

 

 

 

 

 

[/learn_more] [learn_more caption=”5) Installing IPKG“]

Type wget and paste the link of the xsh file that you copied before and hit enter.

DiskStation> wget http://wizjos.endofinternet.net/synology/archief/syno-mvkw-bootstrap_1.2-7_arm-ds111.xsh

After the download is done, type

DiskStation> sh

(sh with a space) and then the TAB key

this should result in something like

DiskStation> sh syno-mvkw-bootstrap_1.2-7_arm-ds111

Hit enter and IPKH gets installed

Finally you’ll have to update the packages list, type

DiskStation>ipkg update

DiskStation>ipkg upgrade

 

[/learn_more] [learn_more caption=”6) Install the Packages “]

Install the Nano text editor (if you master vi, you can skip this step, but you probably wouldn’t be here ;-). Type

DiskStation> ipkg install nano

Then install syslog-ng by typing

DiskStation> ipkg install syslog-ng

 

 

[/learn_more] [learn_more caption=”7) Adapt the configuration“]

Open the configuration file by typing (you can speed this up this by using the TAB key to autocomplete)

DiskStation> nano /opt/etc/syslog-ng/syslog-ng.conf

Terminal

 

 

 

 

 

 

 

 

 

Scroll down to the Destination Section and enter a new destination (put here the IP Address and Port of your Splunk server)

destination splunk { udp(“192.168.10.200” port(9998)); };

 

Scroll down to the Log Section and enter a new log command (you can also use filters, but I prefer to do this in Splunk)

log { source(src); destination(splunk); };

Click

CTRL-O     (to save hit Enter)

CTRL-X      (to quit)

 

Start logging

Start Syslog by typing

syslog-ng

 

Check that there is a connection to your Splunk server by typing

netstat

You should see an entry for the connection to Splunk

Terminal1

 

 

 

 

 

[/learn_more] [learn_more caption=”Finally Using Splunk“]

Select Search

WEB Splunk

 

 

 

 

You should see the IP Address of the Synology NAS with a growing number of Events

WEB Splunk1

 

 

 

 

 

 

 

 

If you click on the IP Address you apply a filter to see only messages from this host

WEB Splunk

 

 

 

 

 

 

 

 

[/learn_more]

 

 

That’s it, enjoy.

See the Splunk website for more information.

 

 

 

 

 


Comments are closed.