Skip to content

Xboarder56/SYNOLOGY-DSM--DSM

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
Event Mappings.txt
Event Mappings.txt
 
 
README.md
README.md
 
 
Regex Overrides.txt
Regex Overrides.txt
 
 
SynologyDSMCustom_ext.xml
SynologyDSMCustom_ext.xml
 
 

Repository files navigation

DSM (Synology)

Synology DSM for QRadar

This DSM config will support parsing and alerting for over 30 event types as of the current upload. I'm trying to determine all event types that will be sent over Syslog but it will take some time to map all of these so it's an ongoing process If you have any questions you can create an issue for the GitHub project or open a question/reply on the IBM QRadar CE forms located at: https://ibm.biz/qradarceforums

Note: This was built utilizing DSM 6.2.1 Update 4

QRCE Changes

  1. Create a new custom DSM called (SynologyDSM) using the DSM editor option under the admin settings window.
  2. Once the custom DSM has been created close the window and click the Log Source Extensions option in the admin settings.
  3. Click Add near the top right corner
  4. Enter a name of "SynologyDSM_ext"
  5. Select your newly created log source (SynologyDSM) that you created earlier.
  6. Click the upload button and select the file "SynologyDSMCustom_ext.xml"
  7. Click done and proceed to open the DSM menu and select your log source (SynologyDSM) that you created earlier.
  8. You will need to select Event Mappings tab in the DSM editor and create the manual entries located in the file "Event Mappings.txt"
  9. Finally, you will need to create a new log source selecting the custom Log source type we just created.

Change Log

  • 02-25-2019 - Mapped 'copied File' and 'copied Folder' event. Mapped custom property 'File Destination Path'.
  • 02-24-2019 - Mapped 'System Shutting Down', 'successfully stopped [Rsync]', 'Shared folder was deleted', 'Storage Pool was degrade' and 'Clear [System]' events.
  • 02-17-2019 - Mapped 'Software Uninstalled' event.
  • 02-17-2019 - Regex adjusted for System events. Mapped 8 additional events.
  • 02-16-2019 - Regex changed for connection events. This resolved the issue with the event 'User accessed shared folder'.
  • 02-15-2019 - Regex modified to support parsing test events. Mapped 6 additional events.
  • 02-15-2019 - Changed the regex for Connection events to allow for mapping failed logins correctly.
  • 01-25-2019 - Changed the mapping of 2 Authentication events to a subcategory of "User Login Failure/Success". This was done to make it easier for creating authentication failure rules.
  • 01-21-2019 - Mapped 2 additional events and fixed the regex for log source time for 2019.
  • 12-22-2018 - Mapped 5 additional events and adjusted regex for the Event ID to support the additional VPN event.
  • 12-20-2018 - Mapped 1 additional event.
  • 12-17-2018 - Mapped 4 additional events and adjusted regex for the Event ID to support the newly discovered events.
  • 12-17-2018 - Mapped 2 additional events.
  • 12-14-2018 - New events mapped, regex adjusted for event ID parsing of newly discovered events. Hopefully the way the regex was adjusted will help to be more universal.
  • 12-13-2018 - Mapped additional events, tweaked System regex for Event ID to parse VPN events.
  • 12-13-2018 - Initial Upload of the source code.

About

Custom QRadar DSM for parsing Synology DSM events

Resources

Readme
Activity

Stars

2 stars

Watchers

3 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published