hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Wrong synology DSM parser

Open eabalea opened this issue 2 years ago • 2 comments

New installation of crowdsec on my Synology NAS running DSM 7.1.1-42962 Update 3. cscli decisions list shows nothing but my NAS is constantly tested for external authentication, and cscli metrics shows very few parsed lines in the logs.

On parser crowdsecurity/synology-dsm-logs:

  • there's a filter "evt.Parsed.program == 'synoscgi_SYNO.API.Auth_7_login'";
  • the file /var/log/synoplugin.log is parsed for events following the pattern 'pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=%{IP_WORKAROUND:src_ip}'.

File /var/log/synoplugin.log logs events like the this: 2023-01-08T12:25:52+01:00 mynas synoscgi_SYNO.API.Auth_3_login[27043]: plugin_action.c:317 synoplugin: [27043][POST][weblogin][MAIN] Scripts=[secure_login_logger,user-preference-check-permission.sh]; Args=[IS_KNOWN_DEVICE=no,IP=93.215.20.167,STATUS=fail,TYPE=passwd,SESSION=webui,RESULT=-2,AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36,USER=rino1,API_VERSION=3]

While file /var/log/auth.log contains the corresponding line for the same event: 2023-01-08T12:25:48+01:00 mynas synoscgi_SYNO.API.Auth_3_login[27043]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=93.215.20.167

The pattern matches file /var/log/auth.log, but there's more data in synoplugin.log. And anyway, the filter is wrong.

eabalea avatar Jan 08 '23 11:01 eabalea

I have the same issue.

It doesn't only affect the DSM parser. Other parsers that rely on the syslog parser don't work either.

The issue is that the format of Synology's auth.log doesn't match the format of the syslog parser. Here is a simple way to show it with an actual line from auth.log:

cscli explain --log "2023-04-27T19:18:46-05:00 nas_DS920Plus synoscgi_SYNO.API.Auth_7_login[15473]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=23.19.122.234" --type syslog

The above produces a parser failure of "crowdsecurity/syslog-logs" which means the raw parser isn't able to parse it.

To work around it, I created my own parser type (i.e. replaced "syslog" with "synology-auth" in the aquis file) and modified the filter line in the scenario yaml to be: filter: "evt.Parsed.program == 'synology-auth'"

kociubin avatar Apr 28 '23 02:04 kociubin

On synology document there seems to be different versions of syno.API the filter only has specified version of 7. and this should be modified Thanks to Loz i was able to fix it and it works now

tested filter: "evt.Parsed.program matches 'synocgi_SYNO.API.Auth_[1-9]_login'" or untested filter: "evt.Parsed.program matches 'synocgi_SYNO.API.Auth_\d_login'"

SuperThicc avatar May 22 '23 06:05 SuperThicc