Request for Detailed Synology NAS Rules/Decoders and Dashboard Guidance for Wazuh

[Tuấn Minh]

Hi Wazuh Community,

I am currently working on setting up a comprehensive monitoring system for my Synology NAS devices using Wazuh 4.7. I have been following the guidance provided in this repository: https://github.com/Tomo-9925/wazuh-synology-dsm-decoder-and-rules, which is very helpful for login/logout events and basic backup monitoring.

However, for my system, I need a more complete setup, and I am missing critical information to achieve full coverage. Specifically, I am looking to monitor and log the following on Synology NAS:

1. System Resource Usage:

   • CPU usage

   • RAM usage

   • Disk usage

   • Status of network ports (LAN1-4)

   • Inbound and outbound network traffic per interface

2. User Activity:

   • Login and logout events

   • Failed login attempts and brute-force detection

3. Job and Task Monitoring:

   • Backup and restore tasks

   • All modifications or actions performed on the NAS (file creation, modification, deletion, permissions changes, etc.)

Examples of the type of logs I want to capture:

• “User admin failed login via SSH from IP 192.168.1.50”

• “Backup task ‘DailyBackup’ completed successfully”

• “File /volume1/shared/test.txt deleted by user John”

• “CPU usage exceeded 90% on NAS-01”

• “Inbound traffic on LAN2 exceeded 500 Mbps”

Currently, the decoders and rules provided in the GitHub repository are limited to login/logout events. There is no decoder or rule available for the system resource metrics (CPU, RAM, Disk, network interfaces) or for detailed file/task activity.

I would greatly appreciate it if the community could provide:

• Comprehensive Synology NAS rules and decoders for Wazuh that cover all the above events

• Example configurations for capturing CPU, RAM, disk usage, network interface stats, inbound/outbound traffic, backup/restore jobs, and file changes

• Guidance on dashboard setup, including recommendations for visualizing critical metrics and alerts in Wazuh Dashboard

Any examples of rules, decoders, or dashboard panels would be extremely helpful, so I can build a complete monitoring system for my Synology NAS devices.

Thank you very much for your support and guidance ! 

[Francis Timilehin Jeremiah]

Hello, please paste the log samples so that I can help you write rules and decoders.

[Tuấn Minh]

Hi, 

I hope this message finds you well. I have attempted to retrieve log samples from Synology, but it seems that there is nothing in the archive.log file. I'm not entirely sure, as I don't recall the specific path where Wazuh stores the syslog logs sent from Synology. Could you please clarify this for me?

Additionally, I noticed that the file has a size of 0 KB. However, I explored the Wazuh Dashboard > Discover section and searched for the keyword "synology" while applying the filter "rule.group=syslog." The results still returned decoded log entries, as shown in the attached image. Most of the results correspond to rule IDs 100002 (successful login) and 100001 (failed login).

Could you assist me in locating these log samples? I look forward to your prompt response.

Vào Th 5, 25 thg 9, 2025 lúc 17:39 'Francis Timilehin Jeremiah' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/GhpO-He0fjg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/4a72c848-5b6d-4e03-90d3-10e4034dd4e8n%40googlegroups.com.

[Francis Timilehin Jeremiah]

Hello, all logs forwarded to the Wazuh server should be in the Wazuh archives, including syslog. What file has 0kb, the syslog file? You ought so see the other log since you can see logs that trigger the two rules you mentioned. Please investigate a bit further and let’s see, filter with agent.id=000 in your Discover tab.

[Tuấn Minh]

Hello Francis, 

I tried searching for it with the keyword "synology" in the Discover section, and it returned results as shown in the screenshot below, including agent.id=000 as you mentioned. So I think the logs sent from Synology to Wazuh have been received successfully.

However, I checked the /var/ossec/logs/archives/ directory and here is what I found: I noticed that the file archives.log is 0 KB. I also tried tail -f on it, but it returned nothing.

Additionally, there is a folder named Sep; I went into it and found many files like ossec-archive-25.json.sum and ossec-archive-25.log.sum. However, when I checked them, they seem to be just checksum files of the log content.

So, regarding the log samples you mentioned, where should I get them from ? 

I look forward to your reply.

Thank you 

Vào Th 6, 26 thg 9, 2025 vào lúc 06:21 'Francis Timilehin Jeremiah' via Wazuh | Mailing List <wa...@googlegroups.com> đã viết:

To view this discussion visit https://groups.google.com/d/msgid/wazuh/1015cafc-4d6b-4955-99fd-6214be527406n%40googlegroups.com.

[Tuấn Minh]

Hello, 

I have managed to capture logs from my Synology NAS devices. Initially, the archives.log file on the Wazuh Manager was empty because the “log all events” feature had not been enabled. After enabling it with <logall_json>yes</logall_json>, I am now able to retrieve the raw JSON logs.

The attached log samples are provided below. My goal is to display clearly each individual action being performed on the Synology NAS on the Wazuh Dashboard, with appropriate severity levels corresponding to the events.

Could you please help me write the appropriate decoders and rules based on these log samples ?

These are some of the log samples at the current moment. Please help me write the appropriate decoders and rules based on these logs first. In the future, if additional log samples become available, I will send them as well.  

One additional point: after reviewing the attached JSON file, I do not see any logs related to Synology resource metrics such as CPU, disk, or RAM usage. Is there a way to capture these real-time resource logs as well ?

Many thanks ! 

Vào Th 6, 26 thg 9, 2025 vào lúc 08:55 Tuấn Minh <tuanb...@gmail.com> đã viết: