Using Log Center On Synology NAS

Events that a system logs are essential for monitoring and troubleshooting. Each Synology NAS logs system-related events in the Log Center. In addition, several applications have their log. This post focuses on understanding logs and how to use them. Next, you learn to configure log size, search and archive logs, log sending and receiving, and set up notifications.

synology, log center, overview, dsm7

Using Log Center On Synology NAS

When logged in as administrator on a new NAS, you will find Log Center in the main menu of the DSM desktop. I prefer to have it on the DSM desktop screen and create a shortcut on every NAS I manage.

If you are interested in logs on your NAS, please refer to the FAQ at the end of this post.

When you start Log Center, it greets you with a pop-up message about Advanced Functions.

synology, log center, advanced functions message, dsm7

The message refers to the Log Center application in the Package Center. When you look it up, you might notice it is not installed. What is happening? A little explanation will help to prevent confusion.

Basic versus advanced

DSM installs the basic version of Log Center by default on the system partition; hence, its existence is not dependent on a storage pool and volume on your disks.

You can install the advanced version from Package Center, which replaces the basic version. This version installs on a volume like most packages. The advanced version can be a Syslog server and offers an archive feature. I discuss these features below.

synology, log center, advanced functions, dsm7

I strongly encourage you to install the advanced version of Log Center. It is mandatory if you use your NAS in a business environment or make it accessible from the Internet.

Both versions’ core functionality of collecting local log events is identical.

Logs and notifications

Besides logging, each Synology NAS has another tool to help you monitor and troubleshoot: notifications. The difference between the two is that you must look up logs, while the NAS sends notifications to you, typically by mail.

Some events on your NAS can generate a notification, others are logged, and some do both. Later in this post, you will learn that Log Center can create a notification when a predefined condition is met.

Please reference How To Configure Email Notifications below for quickly setting up notifications on your NAS.

Application logs

Several applications on the NAS have logs. These logs are in the application, not in the Log Center. In-app logging is available in the Central Management System, DNS Server, Hyper Backup, Migration Assistant, Snapshot Replication, Virtual Machine Manager, and VPN Server, among others.

synology, hyper backup, log, dsm7

In the remainder of this post, I discuss the different pages of the Log Center, including the advanced version.

Overview Page

Both versions of Log Center open with the Overview page. This page lets you quickly assess your NAS status before diving into details. I admit I do not use it much, but that does not mean it is useless—to the contrary. There are two items on this page.

synology, log center, overview, dsm7

First, a utilization graph displays the number of logs within a selectable timeframe (6 minutes, 1 hour, 6 hours, one day). You can select a longer or shorter timeframe depending on the number of log events.

Second, it shows the last 50 logs.

Logs Page

As you might have guessed, the logs are on the Logs page. The Logs page in the advanced version has some exciting extras, which I will discuss below.

The Logs page has one tab, Current, in the basic version and two tabs, Current and Archive, in the advanced version.

synology, log center, logs, basic, dsm7

The basic version lets you view the local logs, which are the logs of the NAS you are logged into. 

synology, log center, logs, advanced, dsm7

Since the advanced version can send and receive logs, you can view logs from other servers. Notice the Local/From other servers drop-down list on the Logs page. I discuss this in the Log Sending And Receiving section below.

On the Logs page, you will find a search option. This option is a compelling feature that can help you find certain events within thousands of entries. More on searching you will find in the Searching Logs section below.

Different logs

There are five different logs, although you might only see four of them most of the time. These are the logs and the information you find in them.

synology, log center, logs, advanced, dsm7
  • General
    • system events like startup and shutdown, starting and stopping services, DSM and package updates, DDNS registration, user management
  • Connection
    • events about users that logged on, from which device, and through which protocol
  • File Transfer
    • events about file transfers through File Station, SMB, AFP, FTP, TFTP, and WebDAV protocols
  • Drive
    • events about changes in drive status
  • Active Backup for Business Agent
    • events about the Agent’s activity; this log appears when you install the agent on the NAS

Reading logs

Given the large number of events, finding the necessary information in a log can be daunting for a less experienced user.

The first step is to choose the correct log. Is it a system event like a system boot-up that I am after? Look in the General log. For disk-related events, select the Drive log. Is it an event that took place in a specific time frame? Do you have any idea about the event level? Is it Info, Warning, or Error?

This can help you find the information you are after. The best tip I can give you is to look regularly at the logs to familiarize yourself with them.

Searching Logs

Log Center’s search feature allows you to find specific events. This powerful tool can help you quickly find the information you need from the log.

synology, log center, search, dsm7

Go to the Logs page. Select the log you want to search for. Enter a keyword. Try the General log and search for ‘boot’ or ‘update’ without the quote marks.

You can fill in one or more terms and separate them with operators like AND, OR, and NOT. You need to type operators in capital letters to be recognized as such. 

For example, select the General log and type ‘boot NOT reboot’ without quote marks to look for events that include the word ‘boot’ but exclude events with ‘reboot.’ Another example is to search for package updates with ‘package AND update.’ This expression will exclude events with updates that are not package updates.

synology, log center, search, dsm7

By clicking the triangular shape in the search tool, you open Advanced Search. Besides keywords, you can enhance your search with a date range and severity level.

Here, you can specify a date range and the severity level of the event: Info, Warning, or Error.

Notifications Page

Log Center can send you a notification, and you can define the conditions from the Log Center > Notification page. Please set up notifications first in Control Panel > Notification.

synology, log center, notifications, dsm7

You can specify up to three conditions. The notification is sent when any condition is met.

The conditions are:

  • Number of logs per second; repeated failed login attempts is a good candidate for this condition
  • The severity level meets a predefined condition; you can choose from four options: Error, Critical, Alert, and Emergency
  • Keyword in the event: you can define up to three keywords; each field supports regular expression (regex)

Note that the General, Connection, and Drives logs have a Level field. The values are Info, Warning, and Error. The security level for notifications can be set to Error, Critical, Alert, and Emergency.

I assess that Critical, Alert, and Emergency are different levels within Error. Info and Warning events will never alert the severity trigger for notifications.

Control Panel

Please be aware that you must set up notifications in the Control Panel to enable Log Center’s notification feature.

You can set up notifications in Control Panel, and I strongly encourage you to do so. When a service or application reaches a specific condition, it can send you a notification, for example, to your mail. For help in setting up notifications in Control Panel, please refer to How To Configure Email Notifications.

Archive Settings Page

Your NAS can not indefinitely record log events. After several events, Log Center starts deleting old events when new events are recorded. This might not sound like a big deal, but sometimes, the event history helps diagnose a problem. When a NAS suffers a brute-force attack, the event logs quickly fill with hundreds or even thousands of events in days, erasing events from a few weeks back and older.

Another issue is that the Log Center stores local logs on the system partition with limited storage. When the system partition is full, you can not upgrade DSM on your NAS, which is one of the problems.

synology, log center, archive settings, dsm7

When you install the advanced version of Log Center, you can archive logs. Archiving your log can solve both issues I mentioned. You can also keep track of old events and keep your system partition clean and tidy.

Look up the Storage destination for archives from the Log Center > Archive Settings page. Define a destination for log archives. I always make a /maintenance/logs folder on each NAS I manage. Next, enable the archival of local logs to offload the system partition.

synology, file station, maintenanc-logs folder, dsm7

Under Archive rules, you define rules to trigger the archiving of logs. The default is a size exceeding 1GB. You can change the size. Additional triggers are:

  • Number of logs greater than
  • Log time older than

The last section is about the Archive format, and allows you to define the archive log format, log compression, and separate archives according to device.

Log Sending And Log Receiving Pages

The following two pages are Log Sending and Log Receiving. They are, obviously, related. This is also referred to as the syslog server feature. The idea is to collect logs from different servers onto a single server, the syslog server.

Log receiving

Before you set up a Synology NAS as a syslog server to receive logs from other servers, configure the archive settings first, as discussed above, because the log database will grow faster than usual.

Go to the Log Center > Log Receiving page and click the Create button. The Create Rule dialog opens. Fill in the following information:

  • Name
    • give the rule a sensible name that you will understand later; a space or dash is not allowed, but an underscore is; see my tip below
  • Log format
    • use the BSD format (default) unless you specifically prefer another format; Synology NAS can send logs in both BSD and IETF
  • Transfer protocol
    • UDP or TCP; select TCP for a secure connection
  • Port
    • stick with the default 514 or specify a custom port
  • Enable secure connection (TLS/SSL)
    • only available when TCP is selected as the transfer protocol
synology, log center, log receiving, dsm7

I suggest entering the configuration of the rule in its name. For example, BSD_UDP_514 or BSD_TCP_514_TLS. Note you can create multiple rules. This way of naming helps configure the firewall.

Firewall

When you enable the firewall on the log-receiving NAS, manually add the proper rule to the firewall configuration. You will find an entry in the list of built-in applications for each rule you create. Unlike other services you install on your NAS with an enabled firewall, you do not get a firewall notification.

Certificate

The syslog or log-receiving process uses a TLS/SSL certificate to establish a secure connection. If you like to use this connection method, there are two settings to configure.

  • select the certificate to use
  • export the certificate

In Control Panel > Security > Certificate > Settings button, you link services with an available certificate. The Log Receiving service links to the default certificate. Consider potential issues when a certificate is renewed.

synology, control panel, security, certificate, dsm7

After creating a TCP with a TLS/SSL rule, click the Export certificate button. This downloads the certificate to your computer. You can import it later on the log-sending NAS or server.

TLS/SSL Profile

Since September 2024, with Log Center 1.3.0-1667, you can now select the security level for HTTPS traffic in the logs receiving service. Go to Control Panel > Security > Advanced > TLS/SSL Profile Level > Custom Settings to select a different profile level if necessary.

Log sending

From the Log Sending page, you can configure the syslog server, which is where you send your logs. This can be a Synology NAS with log receiving configured or another syslog server. About the syslog server, you enter the following data:

synology, log center, log sending, dsm7
  • Server name or IP address
  • Port
  • Transfer protocol: UDP or TCP
  • Log format: BSD or IETF
  • Enable secure connection (TSL/SSL); only available with TCP protocol
    • import certificate
  • Send test log: recommended

On a second tab, Log Filters, you configure the categories of logs you want to send to the syslog server and the priorities.

synology, log center, log sending, log filters, dsm7

The default is that all categories and priorities, from Info to Emergency, are sent to the syslog server.

Settings History Page

This is an exciting page, although you did not lose any sleep over it, I suppose. Logging can be critical, and any change to a log setting is recorded or logged, if you wish, on this page.

synology, log center, settings history, dsm7

Log archiving, sending, receiving, and clearing are examples of settings history.

FAQ About Logs

What is a log?
A computer device like a Synology NAS records events in a log, which helps you keep track of what happened and when.

What is the purpose of a log?
An administrator can check the device’s performance with a log. A log is a great help for troubleshooting and tracking security issues. When an administrator browses through a log, he can identify possible causes or prevent problems.

What events are logged?
Your NAS can log a wide range of events, each time-stamped. You can not configure which events are logged.

Your NAS keeps different logs depending on the services and applications you install and runs on it. Note that not all applications log events.

Are events categorized?
Events are categorized into three levels: Info, Warning, and Error, each with a color code.

Where do I find logs?
Every NAS comes with an application named Log Center. In Log Center, you find four different logs: General, Connection, File Transfer, and Drive. Several applications on your NAS keep track of events in their logs.

How to read logs or find an event?
A typical scenario in which a NAS administrator would look into the logs is when a user or the NAS reports an erroneous condition.

The administrator logs in to DSM, opens Log Center or the application from which the event came, and starts browsing through the events. Because there are thousands of events to browse through quickly, you can make your search more selective and efficient.

You can use the Central Management System application or a cloud service like Active Insight if you manage multiple Synology NAS devices.

What is the difference between logs and notifications?
A notification is a message the NAS sends to specific users if a particular condition is met. You can configure notifications in Control Panel > Notification. Some, but not all, applications can send notifications. For example, after a backup, you can receive a notification of whether it was successful.

Can a logged event lead to a notification?
You can configure different notification rules in Log Center > Notifications. Notifications will be sent when any of the criteria are met.

How do you preserve logs?
The logs in the Log Center grow over time up to a fixed amount of space. What happens after that? Older events are erased when new events are added. Optionally, you can save older events to a file, which is also called archiving.

Thanks for reading

This post is donation-ware, and I made it to help you. Please consider leaving a comment or even buying me a coffee if it did. I will be eternally grateful.

Paul Steunebrink / Storage Alchemist

Leave a Comment

Your email address will not be published. Required fields are marked *