Request for Detailed Synology NAS Rules/Decoders and Dashboard Guidance for Wazuh
Tuấn Minh
Hi Wazuh Community,
I am currently working on setting up a comprehensive monitoring system for my Synology NAS devices using Wazuh 4.7. I have been following the guidance provided in this repository: https://github.com/Tomo-9925/wazuh-synology-dsm-decoder-and-rules, which is very helpful for login/logout events and basic backup monitoring.
However, for my system, I need a more complete setup, and I am missing critical information to achieve full coverage. Specifically, I am looking to monitor and log the following on Synology NAS:
-
System Resource Usage:
-
CPU usage
-
RAM usage
-
Disk usage
-
Status of network ports (LAN1-4)
-
Inbound and outbound network traffic per interface
-
-
User Activity:
-
Login and logout events
-
Failed login attempts and brute-force detection
-
-
Job and Task Monitoring:
-
Backup and restore tasks
-
All modifications or actions performed on the NAS (file creation, modification, deletion, permissions changes, etc.)
-
Examples of the type of logs I want to capture:
-
“User admin failed login via SSH from IP 192.168.1.50”
-
“Backup task ‘DailyBackup’ completed successfully”
-
“File /volume1/shared/test.txt deleted by user John”
-
“CPU usage exceeded 90% on NAS-01”
-
“Inbound traffic on LAN2 exceeded 500 Mbps”
Currently, the decoders and rules provided in the GitHub repository are limited to login/logout events. There is no decoder or rule available for the system resource metrics (CPU, RAM, Disk, network interfaces) or for detailed file/task activity.
I would greatly appreciate it if the community could provide:
-
Comprehensive Synology NAS rules and decoders for Wazuh that cover all the above events
-
Example configurations for capturing CPU, RAM, disk usage, network interface stats, inbound/outbound traffic, backup/restore jobs, and file changes
-
Guidance on dashboard setup, including recommendations for visualizing critical metrics and alerts in Wazuh Dashboard
Any examples of rules, decoders, or dashboard panels would be extremely helpful, so I can build a complete monitoring system for my Synology NAS devices.
Thank you very much for your support and guidance !
Francis Timilehin Jeremiah
Tuấn Minh
Additionally, I noticed that the file has a size of 0 KB. However, I explored the Wazuh Dashboard > Discover section and searched for the keyword "synology" while applying the filter "rule.group=syslog." The results still returned decoded log entries, as shown in the attached image. Most of the results correspond to rule IDs 100002 (successful login) and 100001 (failed login).
Could you assist me in locating these log samples? I look forward to your prompt response.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/GhpO-He0fjg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/4a72c848-5b6d-4e03-90d3-10e4034dd4e8n%40googlegroups.com.
Francis Timilehin Jeremiah
Tuấn Minh
agent.id=000 as you mentioned. So I think the logs sent from Synology to Wazuh have been received successfully.
However, I checked the /var/ossec/logs/archives/ directory and here is what I found: I noticed that the file archives.log is 0 KB. I also tried tail -f on it, but it returned nothing.
Additionally, there is a folder named Sep; I went into it and found many files like ossec-archive-25.json.sum and ossec-archive-25.log.sum. However, when I checked them, they seem to be just checksum files of the log content.
So, regarding the log samples you mentioned, where should I get them from ?
I look forward to your reply.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/1015cafc-4d6b-4955-99fd-6214be527406n%40googlegroups.com.
Tuấn Minh
I have managed to capture logs from my Synology NAS devices. Initially, the archives.log file on the Wazuh Manager was empty because the “log all events” feature had not been enabled. After enabling it with <logall_json>yes</logall_json>, I am now able to retrieve the raw JSON logs.
The attached log samples are provided below. My goal is to display clearly each individual action being performed on the Synology NAS on the Wazuh Dashboard, with appropriate severity levels corresponding to the events.
Could you please help me write the appropriate decoders and rules based on these log samples ?
These are some of the log samples at the current moment. Please help me write the appropriate decoders and rules based on these logs first. In the future, if additional log samples become available, I will send them as well.
One additional point: after reviewing the attached JSON file, I do not see any logs related to Synology resource metrics such as CPU, disk, or RAM usage. Is there a way to capture these real-time resource logs as well ?
Many thanks !
Othniel Ebolum
After reviewing your request, the GitHub repo, and the sample logs provided.
- The connection decoders handle user logins as you have mentioned, but miss "Host"-based failed connections (e.g., SMB1 failures in your logs).
- The backup decoders are tailored for "Hyper_Backup" format, but your sample uses "Backup SYSTEM".
- No decoders for FileStation or System events.
Note for monitoring System Resource Usage, which you mentioned, is not present in your logs.
From researching, https://kb.synology.com/en-uk/DSM/help/DSM/AdminCenter/system_taskscheduler?version=7, https://community.synology.com/enu/forum/17/post/118512, https://www.reddit.com/r/synology/comments/175z84a/dsm72_how_to_check_containers_resources_cpu_ram/
https://blog.fotto.de/run-iotop-tcpdump-etc-on-synology-diskstation-or-rackstation-with-synogear/ - You can use Synology's Task Scheduler (Control Panel > Task Scheduler) to run bash scripts periodically (e.g., every 1-5 minutes). Scripts use built-in commands (top, free, df, ip, ethtool) to get metrics and send to syslog via logger (which forwards to your Wazuh server if Log Center > Log Sending is enabled).
- For network traffic per interface, i saw a recommendation to install vnstat, but i don't know if it works, and also you can research more about SynoCli Monitor tools from synocommunity as recommended here https://www.reddit.com/r/synology/comments/1036i2c/synology_network_monitoring_analyze_inout_traffic/.
- Enable Log Center to forward these logs (already set up per your samples). I shared sample scripts at the end.
PLEASE NOTE THIS IS SUBJECT TO YOU TESTING THIS OUT FOR YOURSELF IN YOUR ENVIRONMENT. Rules id=100040–100048 are sampled based on these research.
DECODERS
<!-- Host-based connection failures -->
<decoder name="synology-connection-host">
<parent>synology-connection</parent>
<regex type="pcre2">Host \[[^\(]*?\(?(\d+\.\d+\.\d+\.\d+)\)?\] (failed) to connect via \[([^\]]+)\] due to \[([^\]]+)\].</regex>
<order>srcip, status, protocol, reason</order>
</decoder>
<!-- FileStation Events -->
<decoder name="synology-filestation">
<prematch>FileStation Event:</prematch>
</decoder>
<decoder name="synology-filestation-details">
<parent>synology-filestation</parent>
<regex type="pcre2">FileStation Event: (\S+), Path: (.+?), File\/Folder: (\S+), Size: (\S+), User: (\S+), IP: (\S+)</regex>
<order>action, path, type, size, srcuser, srcip</order>
</decoder>
<!-- Non-Hyper Backup Events -->
<decoder name="synology-backup">
<prematch>Backup SYSTEM:</prematch>
</decoder>
<decoder name="synology-backup-details">
<parent>synology-backup</parent>
<regex type="pcre2">\[(\S+)\]\[([^\]]+)\] Backup task (\S+).</regex>
<order>type, nas, status</order>
</decoder>
<!-- System Events (e.g., DDNS) -->
<decoder name="synology-system">
<prematch>System SYSTEM:</prematch>
</decoder>
<decoder name="synology-system-details">
<parent>synology-system</parent>
<regex type="pcre2">System SYSTEM:\t(\S+) successfully (\S+) \[(\S+)\] to \[(\S+)\] in (\S+) server \[(\S+)\].</regex>
<order>action, status, ip, hostname, service_type, server</order>
</decoder>
<!-- Resource Metrics (from scripts) -->
<decoder name="synology-resource">
<prematch>Synology Resource:</prematch>
</decoder>
<decoder name="synology-resource-details">
<parent>synology-resource</parent>
<regex type="pcre2">CPU=(\d+\.?\d*)% RAM=(\d+\.?\d*)% DISK=(\d+\.?\d*)% on (\S+)</regex>
<order>cpu, ram, disk, nas</order>
</decoder>
<decoder name="synology-network-status">
<prematch>Synology Network: Interface</prematch>
</decoder>
<decoder name="synology-network-status-details">
<parent>synology-network-status</parent>
<regex type="pcre2">Interface (\S+) status=(\S+)</regex>
<order>interface, status</order>
</decoder>
<decoder name="synology-network-traffic">
<prematch>Synology Network Traffic:</prematch>
</decoder>
<decoder name="synology-network-traffic-details">
<parent>synology-network-traffic</parent>
<regex type="pcre2">Interface (\S+) in=(\d+\.?\d*) (\S+), out=(\d+\.?\d*) (\S+)</regex>
<order>interface, inbound_num, inbound_unit, outbound_num, outbound_unit</order>
</decoder>
These extend for host failures, FileStation (file create/modify/delete; no permissions in samples, but alerts on changes), non-Hyper backups, system events, and resources (with thresholds matching your examples, e.g., CPU >90%, traffic >500 Mbps).
<group name="remote,syslog,synology">
<!-- Host Connection Failures & Brute-Force -->
<rule id="100006" level="5">
<decoded_as>synology-connection-host</decoded_as>
<status>failed</status>
<description>Synology host connection failed (reason: $(reason)).</description>
<mitre><id>T1110.001</id></mitre>
</rule>
<rule id="100007" level="10" frequency="8" timeframe="120">
<if_matched_sid>100006</if_matched_sid>
<same_srcip />
<description>Synology brute force on host connections from $(srcip).</description>
<mitre><id>T1110.001</id></mitre>
</rule>
<!-- FileStation Actions (create/modify/delete) -->
<rule id="100013" level="3">
<decoded_as>synology-filestation-details</decoded_as>
<description>Synology FileStation $(action) by $(srcuser) from $(srcip): $(path) ($(type), Size: $(size)).</description>
<mitre><id>T1565</id></mitre>
</rule>
<rule id="100014" level="7">
<decoded_as>synology-filestation-details</decoded_as>
<match>delete|create|write</match>
<description>Synology FileStation modification/deletion by $(srcuser) from $(srcip): $(path).</description>
<mitre><id>T1565</id></mitre>
</rule>
<rule id="100015" level="12" frequency="8" timeframe="120">
<if_matched_sid>100013</if_matched_sid>
<same_srcuser />
<same_action />
<description>Many Synology FileStation actions ($(action)) by same user.</description>
<mitre><id>T1565</id></mitre>
</rule>
<!-- Non-Hyper Backups/Restores -->
<rule id="100025" level="3">
<decoded_as>synology-backup-details</decoded_as>
<description>Synology backup/restore task $(status) on $(nas) (Type: $(type)).</description>
</rule>
<rule id="100026" level="12">
<decoded_as>synology-backup-details</decoded_as>
<match>failed|error|cancelled</match>
<description>Synology backup/restore task failed on $(nas).</description>
<mitre><id>T1490</id></mitre>
</rule>
<!-- System Events -->
<rule id="100030" level="3">
<decoded_as>synology-system-details</decoded_as>
<description>Synology system event: $(action) $(status) to $(hostname) (IP: $(ip), Server: $(server)).</description>
</rule>
<!-- Resource Metrics (with thresholds) -->
<rule id="100040" level="3">
<decoded_as>synology-resource-details</decoded_as>
<description>Synology resources on $(nas): CPU=$(cpu)% RAM=$(ram)% DISK=$(disk)%.</description>
</rule>
<rule id="100041" level="10">
<decoded_as>synology-resource-details</decoded_as>
<field name="cpu">\>90</field>
<description>CPU usage exceeded 90% on $(nas).</description>
</rule>
<rule id="100042" level="10">
<decoded_as>synology-resource-details</decoded_as>
<field name="ram">\>90</field>
<description>RAM usage exceeded 90% on $(nas).</description>
</rule>
<rule id="100043" level="10">
<decoded_as>synology-resource-details</decoded_as>
<field name="disk">\>90</field>
<description>Disk usage exceeded 90% on $(nas).</description>
</rule>
<rule id="100044" level="3">
<decoded_as>synology-network-status-details</decoded_as>
<description>Synology network port $(interface) status: $(status).</description>
</rule>
<rule id="100045" level="7">
<decoded_as>synology-network-status-details</decoded_as>
<match>DOWN</match>
<description>Synology network port $(interface) is DOWN.</description>
</rule>
<rule id="100046" level="3">
<decoded_as>synology-network-traffic-details</decoded_as>
<description>Synology traffic on $(interface): Inbound=$(inbound_num) $(inbound_unit), Outbound=$(outbound_num) $(outbound_unit).</description>
</rule>
<rule id="100047" level="10">
<decoded_as>synology-network-traffic-details</decoded_as>
<field name="inbound_num">\>500</field>
<field name="inbound_unit">Mbps</field>
<description>Inbound traffic on $(interface) exceeded 500 Mbps.</description>
</rule>
<rule id="100048" level="10">
<decoded_as>synology-network-traffic-details</decoded_as>
<field name="outbound_num">\>500</field>
<field name="outbound_unit">Mbps</field>
<description>Outbound traffic on $(interface) exceeded 500 Mbps.</description>
</rule>
</group>
Everything provided should serve as a guide rather than being assumed as a direct solution to the issue.
CPU/RAM/Disk (one script):
#!/bin/bash
CPU=$(top -bn1 | grep "Cpu(s)" | awk '{print $2 + $4}')
RAM=$(free -m | awk '/Mem/{printf "%.2f", $3/$2*100}')
DISK=$(df -h /volume1 | awk 'NR==2 {gsub("%",""); print $5}') # Adjust /volume1 to your volume
logger "Synology Resource: CPU=${CPU}% RAM=${RAM}% DISK=${DISK}% on $(hostname)"
Assumed Logs: "Synology Resource: CPU=XX% RAM=YY% DISK=ZZ% on NAS-WSI-02"
Network Ports Status (LAN1-4; assumes eth0-3):
#!/bin/bash
for i in 0 1 2 3; do
IFACE="eth$i"
STATUS=$(ip link show $IFACE | grep "state" | awk '{print $9}')
logger "Synology Network: Interface $IFACE status=$STATUS"
done
Assumed Logs: "Synology Network: Interface eth0 status=UP"
Inbound/Outbound Traffic per Interface (after vnstat install):
#!/bin/bash
for i in 0 1 2 3; do
IFACE="eth$i"
TRAFFIC=$(vnstat -i $IFACE -tr 5 | grep "rx" | awk '{print "in=" $2 $3 ", out=" $8 $9}')
logger "Synology Network Traffic: Interface $IFACE $TRAFFIC"
done
Assumed Logs: "Synology Network Traffic: Interface eth0 in=500 Mbps, out=100 Mbps" (vnstat samples over 5s; adjust for accuracy).
For Visualization, I recommend going through our documentation, creating custom dashboards
You can create visualizations like file actions table, login events chart, resources gauges, and any other visualization available in our guide. Things to also cross-check: the rule IDs assigned should not clash with any existing rule IDs in your environment, or they may not work. You can also learn more about creating more custom decoders and rules for yourself from our documentation.