This parser extracts fields from Synology SYSLOG messages using grok patterns, mapping them to the UDM. It handles various log formats, identifies user logins and resource access, and categorizes events based on keywords, enriching the data with vendor and product information.
Before you begin
Ensure that you have the following prerequisites:
Google SecOps instance.
Privileged access to Synology DSM.
Set up feeds
To configure a feed, follow these steps:
Go to SIEM Settings>Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed; for example, Synology Logs.
Select Webhook as the Source type.
Select Synology as the Log type.
Click Next.
Optional: Specify values for the following input parameters:
Split delimiter: the delimiter that is used to separate log lines, such as \n.
Ingestion labels: the label applied to the events from this feed.
Click Next.
Review the feed configuration in the Finalize screen, and then click Submit.
Click Generate Secret Key to generate a secret key to authenticate this feed.
Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.
From the Details tab, copy the feed endpoint URL from the Endpoint Information field. You need to specify this endpoint URL in your client application.
Recommendation: Specify the API key as a header instead of specifying it in the URL.
If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:
ENDPOINT_URL?key=API_KEY&secret=SECRET
Replace the following:
ENDPOINT_URL: the feed endpoint URL.
API_KEY: the API key to authenticate to Google Security Operations.
SECRET: the secret key that you generated to authenticate the feed.
Creating a Webhook in Synology for Google SecOps
Sign in to DiskStation Manager (DSM) on your Synology NAS.
Go to Control Panel>Notification>Webhook.
Click Add.
Specify values for the following parameters:
Provider: Select Custom.
Rule: Select what kind of messages you want to send in your webhook.
Click Next.
Provider name: Give the webhook a distinctive name (for example, Google SecOps).
Subject: Will be added as a prefix of the notification message.
Webhook URL: Enter ENDPOINT_URL.
Select Send notification messages in English.
Click Next.
HTTP Method: Select POST.
Add Header X-Webhook-Access-Key, with SECRET value.
Add Header X-goog-api-key, with API_KEY value.
Click Apply.
Click Apply to save the webhook.
UDM Mapping Table
Log field
UDM mapping
Logic
app
target.application
The value of the app field extracted by the grok filter is assigned to target.application.
desc
metadata.description
The value of the desc field extracted by the grok filter is assigned to metadata.description.
desc
target.file.names
If the desc field contains "Closed)", the file path within the parentheses is extracted and assigned to target.file.names. If the desc field contains "accessed shared folder", the folder path within the brackets is extracted and assigned to target.file.names.
host
principal.hostname
The value of the host field extracted by the grok filter from the host_and_ip field is assigned to principal.hostname.
host_and_ip
principal.ip
The host_and_ip field is parsed. If an IP address (ip1) is found, it's assigned to principal.ip. If a second IP address (ip2) is found, it's also added to principal.ip.
intermediary_host
intermediary.hostname
The value of the intermediary_host field extracted by the grok filter is assigned to intermediary.hostname. An empty auth object is created within extensions if the message contains "signed in" or "sign in". The timestamp from the raw log's collection_time field is used. If the message contains "signed in" or "sign in", the value is set to USER_LOGIN. If the message contains "accessed shared folder", the value is set to USER_RESOURCE_ACCESS. Otherwise, it defaults to GENERIC_EVENT. The value of the type field extracted by the grok filter is assigned to metadata.product_event_type. The value is statically set to "SYNOLOGY". The value is statically set to "SYNOLOGY". If the message contains "failed to sign", the value is set to BLOCK. If the message contains "success", the value is set to ALLOW. If the severity field (extracted by grok) is "INFO", the value is set to INFORMATIONAL.
severity
security_result.severity
The value of the severity field extracted by the grok filter is used to determine the security_result.severity. If the value is "INFO", it's mapped to "INFORMATIONAL".
time
metadata.event_timestamp
The time field, extracted by the grok filter, is parsed and converted to a timestamp. This timestamp is then assigned to metadata.event_timestamp.
type
metadata.product_event_type
The value of the type field extracted by the grok filter is assigned to metadata.product_event_type.
user
target.administrative_domain
If a domain is extracted from the user field, it's assigned to target.administrative_domain.
user
target.user.userid
The username part of the user field (before the "\" if present) is extracted and assigned to target.user.userid. The timestamp from the raw log's collection_time field is used.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document provides instructions on how to collect and parse Synology SYSLOG messages within Google SecOps (Security Operations), enriching the data and mapping it to the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eSetting up a webhook feed in Google SecOps involves configuring a new feed, specifying "Webhook" as the source type and "Synology" as the log type, and obtaining a unique secret key and endpoint URL for authentication.\u003c/p\u003e\n"],["\u003cp\u003eCreating an API key through Google Cloud Console and restricting it to the Google Security Operations API is necessary to authenticate the webhook feed for secure data transfer.\u003c/p\u003e\n"],["\u003cp\u003eConfiguring Synology DSM to send logs via webhook requires defining a custom provider with the Google SecOps endpoint URL and including specific header values containing the API key and secret key for authentication.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM mapping table details how fields from Synology logs, such as \u003ccode\u003eapp\u003c/code\u003e, \u003ccode\u003edesc\u003c/code\u003e, \u003ccode\u003ehost\u003c/code\u003e, and \u003ccode\u003euser\u003c/code\u003e, are translated and assigned to corresponding UDM fields to categorize and structure event data.\u003c/p\u003e\n"]]],[],null,["# Collect Synology logs\n=====================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser extracts fields from Synology SYSLOG messages using grok patterns, mapping them to the UDM. It handles various log formats, identifies user logins and resource access, and categorizes events based on keywords, enriching the data with vendor and product information.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance.\n- Privileged access to Synology DSM.\n\nSet up feeds\n------------\n\nTo configure a feed, follow these steps:\n\n1. Go to **SIEM Settings** \\\u003e **Feeds**.\n2. Click **Add New Feed**.\n3. On the next page, click **Configure a single feed**.\n4. In the **Feed name** field, enter a name for the feed; for example, **Synology Logs**.\n5. Select **Webhook** as the **Source type**.\n6. Select **Synology** as the **Log type**.\n7. Click **Next**.\n8. Optional: Specify values for the following input parameters:\n - **Split delimiter** : the delimiter that is used to separate log lines, such as `\\n`.\n - **Asset namespace** : the [asset namespace](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion labels**: the label applied to the events from this feed.\n9. Click **Next**.\n10. Review the feed configuration in the **Finalize** screen, and then click **Submit**.\n11. Click **Generate Secret Key** to generate a secret key to authenticate this feed.\n12. Copy and store the secret key. You cannot view this secret key again. If needed, you can regenerate a new secret key, but this action makes the previous secret key obsolete.\n13. From the **Details** tab, copy the feed endpoint URL from the **Endpoint Information** field. You need to specify this endpoint URL in your client application.\n14. Click **Done**.\n\nCreate an API key for the webhook feed\n--------------------------------------\n\n1. Go to **Google Cloud console \\\u003e Credentials**.\n\n [Go to Credentials](https://console.cloud.google.com/apis/credentials)\n2. Click **Create credentials** , and then select **API key**.\n\n3. Restrict the API key access to the **Google Security Operations API**.\n\nSpecify the endpoint URL\n------------------------\n\n1. In your client application, specify the HTTPS endpoint URL provided in the webhook feed.\n2. Enable authentication by specifying the API key and secret key as part of the custom header in the following format:\n\n X-goog-api-key = \u003cvar class=\"readonly\" translate=\"no\"\u003eAPI_KEY\u003c/var\u003e\n X-Webhook-Access-Key = \u003cvar class=\"readonly\" translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n **Recommendation**: Specify the API key as a header instead of specifying it in the URL.\n3. If your webhook client doesn't support custom headers, you can specify the API key and secret key using query parameters in the following format:\n\n \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e?key=\u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e&secret=\u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eENDPOINT_URL\u003c/var\u003e: the feed endpoint URL.\n - \u003cvar translate=\"no\"\u003eAPI_KEY\u003c/var\u003e: the API key to authenticate to Google Security Operations.\n - \u003cvar translate=\"no\"\u003eSECRET\u003c/var\u003e: the secret key that you generated to authenticate the feed.\n\nCreating a Webhook in Synology for Google SecOps\n------------------------------------------------\n\n1. Sign in to DiskStation Manager (DSM) on your Synology NAS.\n2. Go to **Control Panel** \\\u003e **Notification** \\\u003e **Webhook**.\n3. Click **Add**.\n4. Specify values for the following parameters:\n\n - **Provider** : Select **Custom**.\n - **Rule**: Select what kind of messages you want to send in your webhook.\n\n | **Note:** You can a create custom rule by selecting **Create**.\n - Click **Next**.\n\n - **Provider name** : Give the webhook a distinctive name (for example, **Google SecOps**).\n\n - **Subject**: Will be added as a prefix of the notification message.\n\n - **Webhook URL** : Enter **ENDPOINT_URL**.\n\n - Select **Send notification messages in English**.\n\n - Click **Next**.\n\n - **HTTP Method** : Select **POST**.\n\n - Add Header **X-Webhook-Access-Key** , with **SECRET** value.\n\n - Add Header **X-goog-api-key** , with **API_KEY** value.\n\n - Click **Apply**.\n\n5. Click **Apply** to save the webhook.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
