Qnap Qts

LogZilla App Store application: Qnap Qts

Overview

QNAP QTS is a Linux-based operating system for QNAP Network Attached Storage (NAS) devices. QTS provides file storage, sharing, backup, virtualization, and multimedia applications for home and business users.

App Function

  • Parse QNAP QTS connection logs for file access and authentication events
  • Extract user, source IP, computer name, and action metadata
  • Categorize events by Event Class (auth, system)
  • Map authentication failures to MITRE ATT&CK T1110 (Brute Force)
  • Alert on login failures and file deletions

Vendor Documentation

Device Configuration

Configure the QNAP NAS to forward syslog messages to LogZilla:

  1. Open QuLog Center from the QTS desktop
  2. Navigate to QuLog Service > Log Sender > Send to Syslog Server
  3. Enable Send logs to a remote syslog server
  4. Click Add Destination
  5. Enter the LogZilla server IP address in Hostname/IP Address
  6. Set Port to 514
  7. Select Transfer protocol (UDP or TCP)
  8. Select Log type (Event logs, Access logs, or both)
  9. Click Apply

Verification

Perform a file operation or login attempt, then verify events appear in LogZilla with Vendor: QNAP.

Incoming Log Format

QNAP QTS connection logs use a structured format:

text
<date> <hostname> <pid> conn log: Users: <user>, Source IP: <ip>,
Computer name: <computer>, Connection type: <protocol>,
Accessed resources: <resource>, Action: <action>

Parsed Metadata Fields

Tag NameExampleDescription
VendorQNAPDevice vendor
ProductQTSDevice product
Event ClassauthCross-vendor event classification
UseradminUsername performing the action
SrcIP192.168.1.100Source IP address
Computer NameWORKSTATION01Client computer name
Connection TypesmbProtocol (smb, ftp, afp, nfs, webdav)
ActionLogin OKAction performed
Resourcefile.txtAccessed file or folder
MitreIdT1110MITRE ATT&CK technique ID
MITRE TacticCredential AccessMITRE ATT&CK tactic

Log Examples

File Write

text
Jan  1 00:00:00 nas01 1234 conn log: Users: jsmith, Source IP: 10.1.1.1,
Computer name: PC1, Connection type: ftp, Accessed resources: file.txt,
Action: Write

Successful Login

text
Jan  1 00:00:00 nas01 1234 conn log: Users: admin, Source IP: 192.168.1.100,
Computer name: WORKSTATION, Connection type: smb, Accessed resources: ,
Action: Login OK

Failed Login

text
Jan  1 00:00:00 nas01 1234 conn log: Users: guest, Source IP: 10.0.0.50,
Computer name: LAPTOP, Connection type: afp, Accessed resources: ,
Action: Login Fail

Triggers

TriggerDescription
QNAP: MITRE ATT&CK Threat DetectedAny event with MITRE mapping
QNAP: Login FailedAuthentication failure (brute force indicator)
QNAP: Login SuccessSuccessful login (audit trail)
QNAP: File DeletedFile deletion (potential data loss)
Qnap Qts | LogZilla Documentation