Collect Synology logs
Overview
This parser extracts fields from Synology SYSLOG messages using grok patterns, mapping them to the UDM. It handles various log formats, identifies user logins and resource access, and categorizes events based on keywords, enriching the data with vendor and product information.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance.
- Privileged access to Synology DSM.
Set up feeds
To configure a feed, follow these steps:
- Go to SIEM Settings > Feeds.
- Click Add New Feed.
- On the next page, click Configure a single feed.
- In the Feed namefield, enter a name for the feed; for example, Synology Logs.
- Select Webhookas the Source type.
- Select Synologyas the Log type.
- Click Next.
- Optional: Specify values for the following input parameters:
- Split delimiter: the delimiter that is used to separate log lines, such as
\n. - Asset namespace: the asset namespace .
- Ingestion labels: the label applied to the events from this feed.
- Split delimiter: the delimiter that is used to separate log lines, such as
- Click Next.
- Review the feed configuration in the Finalizescreen, and then click Submit.
- Click Generate Secret Keyto generate a secret key to authenticate this feed.
- Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
- From the Detailstab, copy the feed endpoint URL from the Endpoint Informationfield. You need to specify this endpoint URL in your client application.
- Click Done.
Create an API key for the webhook feed
-
Go to Google Cloud console > Credentials.
-
Click Create credentials, and then select API key.
-
Restrict the API key access to the Google Security Operations API.
Specify the endpoint URL
- In your client application, specify the HTTPS endpoint URL provided in the webhook feed.
-
Enable authentication by specifying the API key and secret key as part of the custom header in the following format:
X-goog-api-key = API_KEY X-Webhook-Access-Key = SECRETRecommendation: Specify the API key as a header instead of specifying it in the URL.
-
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
ENDPOINT_URL ?key= API_KEY &secret= SECRETReplace the following:
-
ENDPOINT_URL: the feed endpoint URL. -
API_KEY: the API key to authenticate to Google Security Operations. -
SECRET: the secret key that you generated to authenticate the feed.
-
Creating a Webhook in Synology for Google SecOps
- Sign in to DiskStation Manager (DSM) on your Synology NAS.
- Go to Control Panel > Notification > Webhook.
- Click Add.
-
Specify values for the following parameters:
- Provider: Select Custom.
-
Rule: Select what kind of messages you want to send in your webhook.
-
Click Next.
-
Provider name: Give the webhook a distinctive name (for example, Google SecOps).
-
Subject: Will be added as a prefix of the notification message.
-
Webhook URL: Enter ENDPOINT_URL.
-
Select Send notification messages in English.
-
Click Next.
-
HTTP Method: Select POST.
-
Add Header X-Webhook-Access-Key, with SECRETvalue.
-
Add Header X-goog-api-key, with API_KEYvalue.
-
Click Apply.
-
Click Applyto save the webhook.
UDM Mapping Table
| Log field | UDM mapping | Logic |
|---|---|---|
app
|
target.application
|
The value of the app
field extracted by the grok filter is assigned to target.application
. |
desc
|
metadata.description
|
The value of the desc
field extracted by the grok filter is assigned to metadata.description
. |
desc
|
target.file.names
|
If the desc
field contains "Closed)", the file path within the parentheses is extracted and assigned to target.file.names
. If the desc
field contains "accessed shared folder", the folder path within the brackets is extracted and assigned to target.file.names
. |
host
|
principal.hostname
|
The value of the host
field extracted by the grok filter from the host_and_ip
field is assigned to principal.hostname
. |
host_and_ip
|
principal.ip
|
The host_and_ip
field is parsed. If an IP address ( ip1
) is found, it's assigned to principal.ip
. If a second IP address ( ip2
) is found, it's also added to principal.ip
. |
intermediary_host
|
intermediary.hostname
|
The value of the intermediary_host
field extracted by the grok filter is assigned to intermediary.hostname
. An empty auth
object is created within extensions
if the message contains "signed in" or "sign in". The timestamp from the raw log's collection_time
field is used. If the message contains "signed in" or "sign in", the value is set to USER_LOGIN
. If the message contains "accessed shared folder", the value is set to USER_RESOURCE_ACCESS
. Otherwise, it defaults to GENERIC_EVENT
. The value of the type
field extracted by the grok filter is assigned to metadata.product_event_type
. The value is statically set to "SYNOLOGY". The value is statically set to "SYNOLOGY". If the message contains "failed to sign", the value is set to BLOCK
. If the message contains "success", the value is set to ALLOW
. If the severity
field (extracted by grok) is "INFO", the value is set to INFORMATIONAL
. |
severity
|
security_result.severity
|
The value of the severity
field extracted by the grok filter is used to determine the security_result.severity
. If the value is "INFO", it's mapped to "INFORMATIONAL". |
time
|
metadata.event_timestamp
|
The time
field, extracted by the grok filter, is parsed and converted to a timestamp. This timestamp is then assigned to metadata.event_timestamp
. |
type
|
metadata.product_event_type
|
The value of the type
field extracted by the grok filter is assigned to metadata.product_event_type
. |
user
|
target.administrative_domain
|
If a domain is extracted from the user
field, it's assigned to target.administrative_domain
. |
user
|
target.user.userid
|
The username part of the user
field (before the "\" if present) is extracted and assigned to target.user.userid
. The timestamp from the raw log's collection_time
field is used. |
Need more help? Get answers from Community members and Google SecOps professionals.
