kociubin
commented
1 year ago I have the same issue.
It doesn't only affect the DSM parser. Other parsers that rely on the syslog parser don't work either.
The issue is that the format of Synology's auth.log doesn't match the format of the syslog parser. Here is a simple way to show it with an actual line from auth.log:
cscli explain --log "2023-04-27T19:18:46-05:00 nas_DS920Plus synoscgi_SYNO.API.Auth_7_login[15473]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=23.19.122.234" --type syslog
The above produces a parser failure of "crowdsecurity/syslog-logs" which means the raw parser isn't able to parse it.
To work around it, I created my own parser type (i.e. replaced "syslog" with "synology-auth" in the aquis file) and modified the filter line in the scenario yaml to be: filter: "evt.Parsed.program == 'synology-auth'"
OoSTARTERoO
New installation of crowdsec on my Synology NAS running DSM 7.1.1-42962 Update 3. cscli decisions list shows nothing but my NAS is constantly tested for external authentication, and cscli metrics shows very few parsed lines in the logs.
On parser crowdsecurity/synology-dsm-logs:
File /var/log/synoplugin.log logs events like the this: 2023-01-08T12:25:52+01:00 mynas synoscgi_SYNO.API.Auth_3_login[27043]: plugin_action.c:317 synoplugin: [27043][POST][weblogin][MAIN] Scripts=[secure_login_logger,user-preference-check-permission.sh]; Args=[IS_KNOWN_DEVICE=no,IP=93.215.20.167,STATUS=fail,TYPE=passwd,SESSION=webui,RESULT=-2,AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36,USER=rino1,API_VERSION=3]
While file /var/log/auth.log contains the corresponding line for the same event: 2023-01-08T12:25:48+01:00 mynas synoscgi_SYNO.API.Auth_3_login[27043]: pam_unix(webui:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=93.215.20.167
The pattern matches file /var/log/auth.log, but there's more data in synoplugin.log. And anyway, the filter is wrong.