Events that a system logs are essential for monitoring and troubleshooting. Each Synology NAS logs system-related events in the Log Center. In addition, several applications have their log. This post focuses on understanding logs and how to use them. Next, you learn to configure log size, search and archive logs, log sending and receiving, and set up notifications.
Using Log Center On Synology NAS
When logged in as administrator on a new NAS, you will find Log Center in the main menu of the DSM desktop. I prefer to have it on the DSM desktop screen and create a shortcut on every NAS I manage.
If you are interested in logs on your NAS, please refer to the FAQ at the end of this post.
When you start Log Center, it greets you with a pop-up message about Advanced Functions.
The message refers to the Log Center application in the Package Center. When you look it up, you might notice it is not installed. What is happening? A little explanation will help to prevent confusion.
Basic versus advanced
DSM installs the basic version of Log Center by default on the system partition; hence, its existence is not dependent on a storage pool and volume on your disks.
You can install the advanced version from Package Center, which replaces the basic version. This version installs on a volume like most packages. The advanced version can be a Syslog server and offers an archive feature. I discuss these features below.
I strongly encourage you to install the advanced version of Log Center. It is mandatory if you use your NAS in a business environment or make it accessible from the Internet.
Both versions’ core functionality of collecting local log events is identical.
Logs and notifications
Besides logging, each Synology NAS has another tool to help you monitor and troubleshoot: notifications. The difference between the two is that you must look up logs, while the NAS sends notifications to you, typically by mail.
Some events on your NAS can generate a notification, others are logged, and some do both. Later in this post, you will learn that Log Center can create a notification when a predefined condition is met.
Please reference How To Configure Email Notifications below for quickly setting up notifications on your NAS.
Application logs
Several applications on the NAS have logs. These logs are in the application, not in the Log Center. In-app logging is available in the Central Management System, DNS Server, Hyper Backup, Migration Assistant, Snapshot Replication, Virtual Machine Manager, and VPN Server, among others.
In the remainder of this post, I discuss the different pages of the Log Center, including the advanced version.
Overview Page
Both versions of Log Center open with the Overview page. This page lets you quickly assess your NAS status before diving into details. I admit I do not use it much, but that does not mean it is useless—to the contrary. There are two items on this page.
First, a utilization graph displays the number of logs within a selectable timeframe (6 minutes, 1 hour, 6 hours, one day). You can select a longer or shorter timeframe depending on the number of log events.
Second, it shows the last 50 logs.
Logs Page
As you might have guessed, the logs are on the Logs page. The Logs page in the advanced version has some exciting extras, which I will discuss below.
The Logs page has one tab, Current, in the basic version and two tabs, Current and Archive, in the advanced version.
The basic version lets you view the local logs, which are the logs of the NAS you are logged into.
Since the advanced version can send and receive logs, you can view logs from other servers. Notice the Local/From other servers drop-down list on the Logs page. I discuss this in the Log Sending And Receiving section below.
On the Logs page, you will find a search option. This option is a compelling feature that can help you find certain events within thousands of entries. More on searching you will find in the Searching Logs section below.
Different logs
There are five different logs, although you might only see four of them most of the time. These are the logs and the information you find in them.
- General
- system events like startup and shutdown, starting and stopping services, DSM and package updates, DDNS registration, user management
- Connection
- events about users that logged on, from which device, and through which protocol
- File Transfer
- events about file transfers through File Station, SMB, AFP, FTP, TFTP, and WebDAV protocols
- Drive
- events about changes in drive status
- Active Backup for Business Agent
- events about the Agent’s activity; this log appears when you install the agent on the NAS
Reading logs
Given the large number of events, finding the necessary information in a log can be daunting for a less experienced user.
The first step is to choose the correct log. Is it a system event like a system boot-up that I am after? Look in the General log. For disk-related events, select the Drive log. Is it an event that took place in a specific time frame? Do you have any idea about the event level? Is it Info, Warning, or Error?
This can help you find the information you are after. The best tip I can give you is to look regularly at the logs to familiarize yourself with them.
Searching Logs
Log Center’s search feature allows you to find specific events. This powerful tool can help you quickly find the information you need from the log.
Go to the Logs page. Select the log you want to search for. Enter a keyword. Try the General log and search for ‘boot’ or ‘update’ without the quote marks.
You can fill in one or more terms and separate them with operators like AND, OR, and NOT. You need to type operators in capital letters to be recognized as such.
For example, select the General log and type ‘boot NOT reboot’ without quote marks to look for events that include the word ‘boot’ but exclude events with ‘reboot.’ Another example is to search for package updates with ‘package AND update.’ This expression will exclude events with updates that are not package updates.
By clicking the triangular shape in the search tool, you open Advanced Search. Besides keywords, you can enhance your search with a date range and severity level.
Here, you can specify a date range and the severity level of the event: Info, Warning, or Error.
Notifications Page
Log Center can send you a notification, and you can define the conditions from the Log Center > Notification page. Please set up notifications first in Control Panel > Notification.
You can specify up to three conditions. The notification is sent when any condition is met.
The conditions are:
- Number of logs per second; repeated failed login attempts is a good candidate for this condition
- The severity level meets a predefined condition; you can choose from four options: Error, Critical, Alert, and Emergency
- Keyword in the event: you can define up to three keywords; each field supports regular expression (regex)
Note that the General, Connection, and Drives logs have a Level field. The values are Info, Warning, and Error. The security level for notifications can be set to Error, Critical, Alert, and Emergency.
I assess that Critical, Alert, and Emergency are different levels within Error. Info and Warning events will never alert the severity trigger for notifications.
Control Panel
Please be aware that you must set up notifications in the Control Panel to enable Log Center’s notification feature.
You can set up notifications in Control Panel, and I strongly encourage you to do so. When a service or application reaches a specific condition, it can send you a notification, for example, to your mail. For help in setting up notifications in Control Panel, please refer to How To Configure Email Notifications.
Archive Settings Page
Your NAS can not indefinitely record log events. After several events, Log Center starts deleting old events when new events are recorded. This might not sound like a big deal, but sometimes, the event history helps diagnose a problem. When a NAS suffers a brute-force attack, the event logs quickly fill with hundreds or even thousands of events in days, erasing events from a few weeks back and older.
Another issue is that the Log Center stores local logs on the system partition with limited storage. When the system partition is full, you can not upgrade DSM on your NAS, which is one of the problems.
When you install the advanced version of Log Center, you can archive logs. Archiving your log can solve both issues I mentioned. You can also keep track of old events and keep your system partition clean and tidy.
Look up the Storage destination for archives from the Log Center > Archive Settings page. Define a destination for log archives. I always make a /maintenance/logs folder on each NAS I manage. Next, enable the archival of local logs to offload the system partition.
Under Archive rules, you define rules to trigger the archiving of logs. The default is a size exceeding 1GB. You can change the size. Additional triggers are:
- Number of logs greater than
- Log time older than
The last section is about the Archive format, and allows you to define the archive log format, log compression, and separate archives according to device.
Log Sending And Log Receiving Pages
The following two pages are Log Sending and Log Receiving. They are, obviously, related. This is also referred to as the syslog server feature. The idea is to collect logs from different servers onto a single server, the syslog server.
Log receiving
Before you set up a Synology NAS as a syslog server to receive logs from other servers, configure the archive settings first, as discussed above, because the log database will grow faster than usual.
Go to the Log Center > Log Receiving page and click the Create button. The Create Rule dialog opens. Fill in the following information:
- Name
- give the rule a sensible name that you will understand later; a space or dash is not allowed, but an underscore is; see my tip below
- Log format
- use the BSD format (default) unless you specifically prefer another format; Synology NAS can send logs in both BSD and IETF
- Transfer protocol
- UDP or TCP; select TCP for a secure connection
- Port
- stick with the default 514 or specify a custom port
- Enable secure connection (TLS/SSL)
- only available when TCP is selected as the transfer protocol
I suggest entering the configuration of the rule in its name. For example, BSD_UDP_514 or BSD_TCP_514_TLS. Note you can create multiple rules. This way of naming helps configure the firewall.
Firewall
When you enable the firewall on the log-receiving NAS, manually add the proper rule to the firewall configuration. You will find an entry in the list of built-in applications for each rule you create. Unlike other services you install on your NAS with an enabled firewall, you do not get a firewall notification.
Certificate
The syslog or log-receiving process uses a TLS/SSL certificate to establish a secure connection. If you like to use this connection method, there are two settings to configure.
- select the certificate to use
- export the certificate
In Control Panel > Security > Certificate > Settings button, you link services with an available certificate. The Log Receiving service links to the default certificate. Consider potential issues when a certificate is renewed.
After creating a TCP with a TLS/SSL rule, click the Export certificate button. This downloads the certificate to your computer. You can import it later on the log-sending NAS or server.
TLS/SSL Profile
Since September 2024, with Log Center 1.3.0-1667, you can now select the security level for HTTPS traffic in the logs receiving service. Go to Control Panel > Security > Advanced > TLS/SSL Profile Level > Custom Settings to select a different profile level if necessary.
Log sending
From the Log Sending page, you can configure the syslog server, which is where you send your logs. This can be a Synology NAS with log receiving configured or another syslog server. About the syslog server, you enter the following data:
- Server name or IP address
- Port
- Transfer protocol: UDP or TCP
- Log format: BSD or IETF
- Enable secure connection (TSL/SSL); only available with TCP protocol
- import certificate
- Send test log: recommended
On a second tab, Log Filters, you configure the categories of logs you want to send to the syslog server and the priorities.
The default is that all categories and priorities, from Info to Emergency, are sent to the syslog server.
Settings History Page
This is an exciting page, although you did not lose any sleep over it, I suppose. Logging can be critical, and any change to a log setting is recorded or logged, if you wish, on this page.
Log archiving, sending, receiving, and clearing are examples of settings history.
FAQ About Logs
What is a log?
A computer device like a Synology NAS records events in a log, which helps you keep track of what happened and when.
What is the purpose of a log?
An administrator can check the device’s performance with a log. A log is a great help for troubleshooting and tracking security issues. When an administrator browses through a log, he can identify possible causes or prevent problems.
What events are logged?
Your NAS can log a wide range of events, each time-stamped. You can not configure which events are logged.
Your NAS keeps different logs depending on the services and applications you install and runs on it. Note that not all applications log events.
Are events categorized?
Events are categorized into three levels: Info, Warning, and Error, each with a color code.
Where do I find logs?
Every NAS comes with an application named Log Center. In Log Center, you find four different logs: General, Connection, File Transfer, and Drive. Several applications on your NAS keep track of events in their logs.
How to read logs or find an event?
A typical scenario in which a NAS administrator would look into the logs is when a user or the NAS reports an erroneous condition.
The administrator logs in to DSM, opens Log Center or the application from which the event came, and starts browsing through the events. Because there are thousands of events to browse through quickly, you can make your search more selective and efficient.
You can use the Central Management System application or a cloud service like Active Insight if you manage multiple Synology NAS devices.
What is the difference between logs and notifications?
A notification is a message the NAS sends to specific users if a particular condition is met. You can configure notifications in Control Panel > Notification. Some, but not all, applications can send notifications. For example, after a backup, you can receive a notification of whether it was successful.
Can a logged event lead to a notification?
You can configure different notification rules in Log Center > Notifications. Notifications will be sent when any of the criteria are met.
How do you preserve logs?
The logs in the Log Center grow over time up to a fixed amount of space. What happens after that? Older events are erased when new events are added. Optionally, you can save older events to a file, which is also called archiving.
Thanks for reading
This post is donation-ware, and I made it to help you. Please consider leaving a comment or even buying me a coffee if it did. I will be eternally grateful.
Paul Steunebrink / Storage Alchemist