跳至正文
KYRA MDR KYRA MDR Docs

QNAP NAS Integration

Overview

This integration collects file access logs, authentication events, SMB/FTP connections, and system events from QNAP NAS devices. QNAP devices have been specifically targeted by ransomware campaigns (e.g., DeadBolt), making security monitoring critical.

Supported OS: QTS 5.x

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • QNAP QTS admin access
  • Network connectivity from the NAS to the collector on port 514

Configuration

Syslog Setup

  1. Log in to QTS
  2. Navigate to Control Panel > System Logs > Syslog Client
  3. Enable the syslog client and configure:
SettingValue
Server IPYour KYRA Collector IP
Port514
ProtocolTCP (recommended) or UDP
  1. Select the log types to forward
  2. Click Apply

No additional agent installation is required.

Alternative: rsyslog on QNAP (via Entware)

For advanced log forwarding with custom formatting, install rsyslog via Entware:

Terminal window
# Install rsyslog via Entware (requires Entware installed on QNAP)
opkg install rsyslog


# Create forwarding configuration
cat > /opt/etc/rsyslog.d/60-kyra-mdr.conf << 'EOF'
# Forward QNAP logs to KYRA Collector
module(load="imfile" PollingInterval="5")


# Monitor QNAP system log
input(type="imfile"
  File="/var/log/event_log"
  Tag="qnap-event:"
  Severity="info"
  Facility="local0"
  StateFile="qnap-event-state"
)


# Monitor QNAP connection log
input(type="imfile"
  File="/var/log/conn_log"
  Tag="qnap-conn:"
  Severity="info"
  Facility="local0"
  StateFile="qnap-conn-state"
)


local0.* @@<COLLECTOR_IP>:514
EOF


# Restart rsyslog
/opt/etc/init.d/S01rsyslog restart

Verify Log Reception

Terminal window
# On the KYRA Collector, verify incoming QNAP logs
sudo tcpdump -i any port 514 -A | grep -i "qnap\|NAS"


# Check rsyslog
tail -f /var/log/syslog | grep "qnap"

Collected Log Types

Log TypeSecurity UsePriority
File access logsData exfiltration, bulk download detectionCritical
Login success/failureBrute force attack detectionCritical
SMB/FTP connectionsUnauthorized access monitoringHigh
Mass file modification/deletionRansomware detection (DeadBolt, etc.)Critical
App install/removeMalicious app installation detectionMedium
System eventsDevice health and configuration changesMedium
Auto-block logsIP blocking eventsMedium

Troubleshooting

No Logs Received

  1. Verify the syslog client is enabled in Control Panel > System Logs
  2. Check that the server IP and port are correct
  3. Ensure no firewall rules block port 514 between the NAS and collector

Ransomware Protection Tips

  • Disable default admin account and use a custom admin username
  • Disable UPnP and unnecessary external access services
  • Keep QTS firmware updated to the latest version
  • Enable auto-block to limit brute force attempts

For additional help, contact kyra@seekerslab.com.