Getting a QNAP NAS to Log to my Graylog instance

Dugite-Code — Mon, 08 Jul 2019 00:00:00 GMT

Running old embedded devices is a pain not to mention a major security risk. But if you are like me and are stuck with it sometimes you can take solace in software repo projects like Entware. In this case I needed to centralize all the disparate system logs on the network so I could find issues BEFORE they cause real trouble. The problem is the QNAP NAS I had could only send system logs over unencrypted UDP.

That's just not good enough, especially as I want to use client certs down the line. The simplest solution I found was to install syslog-ng to redirect the logs securely.

Note: I'm using a letsencrypt cert to make my life simpler

Setting up the NAS

Install Entware by downloading the .qpkg file, navigating to the NAS in the web browser and then selecting the install manually option in the app center.

SSH into the NAS and install syslog-ng

opkg update
opkg install syslog-ng

Configure syslog-ng by editing /opt/etc/syslog-ng.conf

# Important set the right config file version
@version: 3.20

options {
};

# Listen to local syslog connection
source localhostudp {
        udp( ip("127.0.0.1") port(1514) );
};

# Forward to remote graylog server over tls to port 1514
# To Implement Client Cert
destination graylog_loghost {
        network(
                "example.com" port(1514)
                transport("tls")
                tls( ca_dir("/opt/sbin/cadir") )
        );
};

# Enable both source and destination
log {
        source(localhostudp);
        destination(graylog_loghost);
};

Set up the Letsencrypt CA by downloading the TrustID X3 Root Certificate (formallyu known as DST Root CA X3). We then need to discover the hash of the certificate using openssl. Syslog-ng requires as simlink named with the certificate hash.

The hash should be 2e5ac55d

/opt/sbin/cadir
wget https://github.com/letsencrypt/website/raw/master/static/certs/trustid-x3-root.pem

openssl x509 -noout -hash -in trustid-x3-root.pem

ln -s /opt/sbin/cadir/trustid-x3-root.pem /opt/sbin/cadir/2e5ac55d.0

Via the web admin, set the NAS to log to 127.0.0.1 with the local port 1514. This can be found in Systems Logs in the Systems Settings category.

Ensure syslog-ng isn't running then test in the foreground for any errors

/opt/etc/init.d/S01syslog-ng stop

/opt/sbin/syslog-ng -Fvde

If no errors appear you can then start syslog-ng

/opt/etc/init.d/S01syslog-ng start

Graylog Notes

Graylog doesn't appear to directly accept the format sent via syslog-ng. While it is possible to change the format in syslog-ng I didn't figure out the best way to do it. My solution was to set the input to Raw/Plaintext TCP and then run a GROK pattern extractor when matching the conn log string

%{DATA} qlogd\[9147\]: %{DATA:facility}: Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_src}, Computer name: %{DATA:NAS_id}, Connection type: %{DATA:NAS_connection}, Accessed resources: %{DATA:NAS_resource}, Action: %{GREEDYDATA:NAS_action}

Peek Read Info (Posts about NAS)

Getting a QNAP NAS to Log to my Graylog instance

Setting up the NAS

Graylog Notes