Send logs from Synology DSM to Logstash

English, Linux 1 Minute

It is easy to send and parse Synology DSM logs into Elasticsearch with Logstash.

Configure Logstash

input {
    syslog {
        port => PORT
        type => "RFC3164"
        tags => ["syslog", "synology"]
    }
}

output {
    if "synology" in [TAGS] {
        elasticsearch {
            hosts => localhost
            index => "synology-%{+YYYY.MM}"
        }
    }
}

Remember to open PORT TCP/UDP in firewalls. I used 5140 as PORT.

Enable sending logs from Synology DSM to Logstash

Install Log Center from the Packge Center.

From Log Center -> Log Sending – Enable Send logs to a syslog server

  • Server: LOGSTASHIP
  • Port: PORT
  • Transfer protocol: TCP
  • Log format: BSD (RFC 3164)

I prefer TCP but you can also send with UDP.

Published by villekri

Published

3 thoughts on “Send logs from Synology DSM to Logstash

  1. How to view data in kibana?
    if you added my Configure Logstash parts into your logstash, your logs should be already in elasticsearch.
    Since DSM is using know logging format, i just used syslog plugin in logstash and specified that logging format type is RFC3164. So no need to grok.
    Notice that in my configuration elasticsearch is on the same server as logstash.

    Now to view data in kibana.
    Management -> Kibana Index patterns -> Create index pattern -> Index pattern: synology-*
    Time Filter field name: @timestamp (this means time elasticsearch got the information, not time on the log. You can change this later if you want)
    Now you should have synology-* index in kibana. And elasticsearch indexes are as specified in logstash output example: synology-2020.01
    I use monthly elasticsearch indexes because not alot of data and i dont want too many small shards in elasticsearch.

    Like

    Reply

  2. Hi, thanks for the article! I’ve been reading up on input-plugins for Logstash here: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-syslog.html but I’m a little confused. Is there any installation necessary here or is it sufficient to just create this .conf-file in Logstash? Some infput-plugins found on Github seem to require installation, e.g. https://github.com/logstash-plugins/logstash-input-syslog
    What am I missing here? Is there a difference between “syslog module”, as you call it, and a Logstash-plugin?

    Like

    Reply

    1. Ah, i will change “syslog module” to “syslog plugin” on my previous comment. Thanks!
      I installed Logstash from elastic repositories and it contained logstash-input-syslog and many other plugins. So only need to add conf into conf.d folder.
      To check what plugins you have installed: logstash/bin/logstash-plugin list –verbose
      I have logstash now on Debian10 and it installed those bin files into /usr/share/logstash/bin/

      So full path: /usr/share/logstash/bin/logstash-plugin list –verbose

      https://www.elastic.co/guide/en/logstash-versioned-plugins/current/input-syslog-index.html

      Like

      Reply

Leave a Reply to rowe Cancel reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.