Network Monitoring for $20.98

Sorry. Due to the many changes to macOS and apparent discontinuation of OmniGrowl, this approach no longer works. I don’t know if I’ll try to figure alternatives, but for now, this is just a historical document.

Looking for network monitoring of your home router and critical devices but can’t afford thousands of dollars for an enterprise-class (no, not Star Trek, think big business) event fault management system? Well, true to my name, I was looking for just such a solution.

Nasty security issues keep popping up all the time and they aren’t limited to the big boys like Target, Home Depot and JP Morgan Chase. Attacks can hit close to home like the Synolocker ransomware attack against Synology NAS users, the CryptoLocker ransomware attack against Microsoft Windows users, the shellshock vulnerability, and many others.

Scared yet? I certainly was. Read on to learn what I did…

There are easier things to do to protect yourself like using more secure passwords, not using the same password everywhere (see my post about simple security for more details), and keeping your devices updated with the latest software. But, there will always be a hack that you’re not prepared for.

What to do? Implement network monitoring of your computers, routers, NAS servers, etc. for suspicious activities. It’s what businesses should do (and many do, just not always well enough). If you think it takes a lot of money, I discovered that it can be done for just under $21 – if you’re a Mac user and have a computer that’s always on (Mac Mini, iMac, Mac Pro).

My solution relies on a few pieces of inexpensive software, a few configuration changes to some devices, and a couple of terminal commands to help link everything together. Here’s what you need*:

  • An always-on Mac to run the network monitoring and alerting. If you’re a laptop-only person, this will be a challenge. If this security is really important to you, it may be worth picking up a refurbished Mac Mini from the Apple Store.
  • Pushover – a service (and iOS app) to receive instant push notifications on your phone or tablet from a variety of sources.
  • Growl – the original notification system for the Mac. It still does stuff you can’t do with the OS X Notification Center.
  • Growl-Pushover – An action style for Growl 2.0 and higher that forwards Growl notifications to the Pushover notification service.
  • OmniGrowl – tool that lets you send notifications to Growl for all kinds of different events.

* Full disclosure: The links to Pushover and Growl are affiliate links. Using these links to buy these apps will get me a small commission. Consider it a thank you for sharing my solution with you. 😉

I know you’re thinking this is going to be complicated and require expert knowledge. Well, yes it isn’t exactly straightforward. However, if you have devices like a NAS server, multiple network components like routers and switches, you’re likely to have plenty of expertise for this endeavor. You can always start small by just monitoring the always on Mac, then move up to monitoring other devices.

Enough of the boring background. You know I don’t really need to justify why I did this because, well, GadgetComa! Let’s dive in to the details.

Step 1. Configure the monitoring server

I have a Mac Mini that I use for a media center and home automation server. This means it’s always on, running the various automation tasks. The first step was to configure it to receive logs from other devices. Mac logging is basically UNIX logging, leveraging the standard syslog approach (although Apple has added some additional management on top of it). I found that my Synology NAS server and Verizon router both allow logs to be forwarded to another device to centralize logging. Many other devices allow this, including Macs. However, the Mac OS X (the non-server variety) does not have log receiving enabled by default. This is where the first part of terminal magic is needed.

First, you’ll modify the syslog startup configuration. You’ll need to convert the com.apple.syslogd.plist file from binary to XML, add an element to enable log receiving, and convert the plist file back to binary. Here are the commands I used. (DISCLAIMER: Be sure you know what you’re doing. This worked for me, but I don’t not provide any guarantee that you won’t mess something up!) Sorry, I was channeling a lawyer for a second there. Anyway …

Convert the plist file:

cd /System/Library/LaunchDaemons
sudo plutil -convert xml1 com.apple.syslogd.plist

Edit the plist file:

sudo vi com.apple.syslogd.plist

Add the XML code shown below. It should be inserted as the last element in the Sockets element near the end of the file.

<key>NetworkListener</key>
<dict>
<key>SockServiceName</key>
<string>syslog</string>
<key>SockType</key>
<string>dgram</string>
</dict>

Save the file and exit vi.

Convert the plist file back to binary:

cd /System/Library/LaunchDaemons
sudo plutil -convert binary1 com.apple.syslogd.plist

Stop and restart the syslog daemon:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.syslogd.plist
sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.syslogd.plist

That’s it for step 1! You should now be able to forward logs to your Mac. But wait! If you do, then they may default to going into the main system log. That could be problematic for space reasons or for being able to easily find the messages you want to watch for. So, on to…

Step 2. Configure incoming log destinations

Mac OS X uses the asl.conf file to configure settings for the Apple System Log manager and for the Syslog daemon. You’ll want to configure entries for each incoming log file. Using query action rules in the asl.conf file will allow you to have OS X identify incoming logs and configure the files you need. You’ll put an entry in this file indicating what to search for in incoming log data, the word ‘file’ to indicate you are specifying a file location, the name of the file and parameters for log rotation. There are a number of different log data elements you can have the system look for, so review the man page for asl.conf to figure out what makes sense to you. You may have to test by having logs sent to the default OS X system log and look at the data to see what your devices send. For example, my Synology does not set the Sender element, but it does set the Host. So I set up a query action rule to look for my Synology’s host name. Assuming a device with the host name MyDevice, going to a log file called my device.log with typical log rotation settings (I won’t spell them all out – they’re in the man page), the query action rule would look like this:

? [= MyDevice] file mydevice.log rotate=seq ttl=5 compress file_max 5M all_max=50M

So, read the man page and review the incoming log data to figure out the query parameters you need, then add them to the asl.conf file.

Whew! That was fun, huh? You’re through the toughest part now. Your Mac is ready to receive incoming logs and place them in separate folders. You’ve set up log rotation so the files won’t grow continuously and gobble up disk space. Now what? How about…

Step 3. Send logs to your Mac

This one is entirely dependent upon the device you want to monitor. In Synology’s DSM console, you can set up log sending in the Log Center app. On Verizon routers (at least the recent versions), you configure logs on the System Settings screen under the Advanced settings category. Some devices just ask for the IP address of the server to send logs to. Other devices may need the port and protocol. If so, set it to UDP port 514.

You’re really flying now! You should have logs showing up on your Mac from any devices you’ve configured. Well, that’s nice, but to complete the picture, you’ll want to get notifications on your phone when something fishy happens. This part will tell you how to do that. Let’s jump in and finish this thing.

Step 4. Configure Pushover for push notifications

The first thing you’ll want to do is buy a copy of Pushover and set up your account. I’ve installed the iOS app on my iPhone and iPad, although it’s most useful on the iPhone since my iPad is wifi only. Fortunately, it’s a universal app, so you have some flexibility at no additional cost. You can also get a desktop client that sends notifications via your browser. Once you’ve set up your account, you’ll have a User Key that you’ll use to configure Growl. If like me, you end up having a lot of stuff going through Pushover (my web sites, my clients’ web sites, etc.), you may want to create an application, which will uniquely identify your home network notifications versus everything else. Once you create the application, you’ll have an API Token/Key that you can use along with your User Key to have Pushover group all notifications for any of your home monitoring into one group. If this doesn’t make sense, poke around the Pushover site and app a bit and you’ll understand.

Step 5. Configure Growl and the Pushover action for Growl

Go buy Growl and install it. Then grab a copy of Growl-Pushover and install it. To configure the Growl-Pushover settings, open the Growl preferences, go to the Displays tab and select the Pushover action. Under Notification Settings, fill in your User Key and make sure the ‘Only when this Mac is idle’ option is unchecked. If you set up an application on the Pushover site, enter the API key in the Advanced Settings section. Adjust any other settings on this screen as you prefer.

Step 6. Configure OmniGrowl

Go buy OmniGrowl and install it. OmniGrowl has a bunch of things it can notify you about through Growl. However, you probably don’t need most of them to be sent via Pushover. If you want the simple approach, disable all of the notifications except Logs and Hardware (on the Other tab). The key settings for main OmniGrowl preferences are:

OmniGrowl Settings - OmniGrowl Tab

For the Other tab, feel free to adjust these as you prefer, but I like to have the S.M.A.R.T. status, network status and power supply status issues pushed to me. Here are the settings I use:

OmniGrowl Settings - Other Tab

The Logs tab is where magic really happens. To configure logs, click the drop down (in this screen shot it displays System Log and is grayed out). Click the Edit button and make any changes you need. Make sure the notification title makes sense. The ‘Full UNIX log path’ should point to where the log file is stored. If you created separate files for devices that forward logs to your Mac, make sure you get this right. If you only provided a file name in the asl.conf file, the files will automatically be placed in /var/log. You can than create filters to control what OmniGrowl notifies you of. In the example below, I’ve chosen to include the terms login and error. Any time either of these words appear in the system log, OmniGrowl will notify me. You’ll need to figure out what you want to filter for and whether you want to use inclusion or exclusion filter. Be sure to check the ‘Enable this log’ check box and click Save.

OmniGrowl Settings - Logs Tab

Step 7. Configure Growl preferences for OmniGrowl

By default, Growl will display notifications and execute actions according to Growl’s application defaults. You will need to tell Growl to execute the Pushover action whenever OmniGrowl wants to post a notification. The easiest way to do this is to open the Growl preferences and click on the Applications tab. Select OmniGrowl and choose Pushover from the Actions drop down.

Growl Preferences

If you want more granular control over specific notifications from OmniGrowl (for example, if you want to display weather alerts on screen, but not send them to Pushover), you can click the Notifications button and change options for everything OmniGrowl could notify about.

If you’ve gotten this far (and I haven’t forgotten anything in my write up), your monitoring system is up and running. Test it out by forcing an event that you want notification for. In my case, I get notified for successful and failed login attempts on my Synology, so that’s easy to test. Keep an eye on the notifications you’re getting and the messages in the logs so you can fine tune. It will take some time to get the right balance of notifications versus noise and to make sure you capture events that are important to you.