Synology NAS Integration
Overview
This integration collects file access logs, authentication events, SMB/FTP connections, and system events from Synology NAS devices. NAS devices are primary targets for ransomware attacks, making monitoring essential for SMB environments.
Supported OS: DSM (DiskStation Manager) 7.x Supported models: DS220+, DS420+, DS920+, DS1621+, and other DSM 7.x devices
Prerequisites
- A KYRA MDR Collector installed and running (Installation Guide)
- Synology DSM admin access
- Network connectivity from the NAS to the collector on port 514
Configuration
Syslog Setup
- Log in to DSM
- Navigate to Log Center > Log Sending
- Add a syslog server with the following settings:
| Setting | Value |
|---|---|
| Server IP | Your KYRA Collector IP |
| Port | 514 |
| Protocol | TCP (recommended) or UDP |
| Log Format | BSD syslog |
- Select the log categories to send
- Click Apply
No additional agent installation is required.
DSM UI Navigation
The full path in DSM 7.x:
- Open Control Panel
- Go to Log Center (under System section)
- Click the Log Sending tab
- Check Send log to syslog server
- Enter the KYRA Collector IP, port, and protocol
- Select log categories: General, Connection, File Transfer
- Click Apply
Enable File Transfer Logging
To capture file access events (critical for ransomware detection):
DSM > Control Panel > File Services > SMB > Advanced Settings → Enable Transfer Log: ON
DSM > Control Panel > File Services > FTP > General → Enable FTP transfer log: ONVerify Log Reception
# On the KYRA Collector, verify incoming Synology syslogsudo tcpdump -i any port 514 -A | grep -i "synology\|DiskStation"
# Example Synology syslog output format# <134>Mar 15 10:23:45 DiskStation Connection: User [admin] from [192.168.1.100] logged in successfully via [DSM].# <134>Mar 15 10:24:12 DiskStation Connection: User [admin] from [192.168.1.100] failed to log in via [DSM].# <134>Mar 15 10:25:00 DiskStation WinFileService: User [user1] accessed shared folder [documents] with IP [192.168.1.101].
# Check that logs are arrivingtail -f /var/log/syslog | grep "DiskStation"Collected Log Types
| Log Type | Security Use | Priority |
|---|---|---|
| File access logs | Data exfiltration, bulk download detection | Critical |
| Login success/failure | Brute force attack detection | Critical |
| SMB/FTP connections | Unauthorized access monitoring | High |
| Mass file modification/deletion | Ransomware detection | Critical |
| External access (QuickConnect) | Unauthorized remote access detection | High |
| Package install/remove | Malicious app installation detection | Medium |
| Auto-block logs | IP blocking events | Medium |
| Firmware updates | Vulnerability patch status tracking | Low |
Troubleshooting
No Logs Received
- Verify the syslog server IP and port in Log Center > Log Sending
- Ensure no firewall rules block port 514 between the NAS and collector
- Confirm that Log Center is enabled and the desired categories are selected
Missing File Access Logs
- Enable File Services > SMB > Advanced > Enable transfer log
- Ensure file access logging is turned on in Log Center settings
For additional help, contact kyra@seekerslab.com.