Getting a QNAP NAS to Log to my Graylog instance
Running old embedded devices is a pain not to mention a major security risk. But if you are like me and are stuck with it sometimes you can take solace in software repo projects like Entware. In this case I needed to centralize all the disparate system logs on the network so I could find issues BEFORE they cause real trouble. The problem is the QNAP NAS I had could only send system logs over unencrypted UDP.
That's just not good enough, especially as I want to use client certs down the line. The simplest solution I found was to install syslog-ng to redirect the logs securely.
Note: I'm using a letsencrypt cert to make my life simpler
Setting up the NAS
Install Entware by downloading the .qpkg
file, navigating to the NAS in the web browser and then selecting the install manually option in the app center.
SSH into the NAS and install syslog-ng
opkg update opkg install syslog-ng
Configure syslog-ng by editing /opt/etc/syslog-ng.conf
# Important set the right config file version @version: 3.20 options { }; # Listen to local syslog connection source localhostudp { udp( ip("127.0.0.1") port(1514) ); }; # Forward to remote graylog server over tls to port 1514 # To Implement Client Cert destination graylog_loghost { network( "example.com" port(1514) transport("tls") tls( ca_dir("/opt/sbin/cadir") ) ); }; # Enable both source and destination log { source(localhostudp); destination(graylog_loghost); };
Set up the Letsencrypt CA by downloading the TrustID X3 Root Certificate (formallyu known as DST Root CA X3). We then need to discover the hash of the certificate using openssl. Syslog-ng requires as simlink named with the certificate hash.
The hash should be 2e5ac55d
/opt/sbin/cadir wget https://github.com/letsencrypt/website/raw/master/static/certs/trustid-x3-root.pem openssl x509 -noout -hash -in trustid-x3-root.pem ln -s /opt/sbin/cadir/trustid-x3-root.pem /opt/sbin/cadir/2e5ac55d.0
Via the web admin, set the NAS to log to 127.0.0.1
with the local port 1514
. This can be found in Systems Logs in the Systems Settings category.
Ensure syslog-ng isn't running then test in the foreground for any errors
/opt/etc/init.d/S01syslog-ng stop /opt/sbin/syslog-ng -Fvde
If no errors appear you can then start syslog-ng
/opt/etc/init.d/S01syslog-ng start
Graylog Notes
Graylog doesn't appear to directly accept the format sent via syslog-ng. While it is possible to change the format in syslog-ng I didn't figure out the best way to do it. My solution was to set the input to Raw/Plaintext TCP
and then run a GROK pattern extractor when matching the conn log
string
%{DATA} qlogd\[9147\]: %{DATA:facility}: Users: %{DATA:NAS_user}, Source IP: %{IP:NAS_src}, Computer name: %{DATA:NAS_id}, Connection type: %{DATA:NAS_connection}, Accessed resources: %{DATA:NAS_resource}, Action: %{GREEDYDATA:NAS_action}