Ubiquiti UniFi is a family of monitoring products that range from wireless access points, routers, switches, security cameras, and controllers (cloud or on-prem), all working together to provide a cohesive overview of your environment. This technology pack will process UniFi log messages for UniFi OS, UniFi Network, and UniFi Protect by providing normalization and enrichment for common events of interest.
UniFi devices running UniFi OS 3.0+, Network 7.3+, and Protect 2.7+
Graylog Server with a valid enterprise license, running Graylog version 4.3.0 or later
This technology pack includes one stream:
“Illuminate:Ubiquiti UniFi Messages”
Index Set Configuration
This technology pack includes one index set definition:
“Ubiquiti Unifi Logs”
Log Format Example
APSomewhere f091234518f6,UAP-AC-Pro-Gen2-6.2.49+14111: dnsmasq: forwarded www.graylog.org to 10.10.10.10
APAnywhere f09fc2dc18f6,UAP-AC-Pro-Gen2-6.2.49+14111: /usr/sbin/hostapd: WPA: Encrypt Key Data using AES-WRAP (KEK length 16)
Due to the way UniFi controllers (e.g. Dream Machine Pro) generate some logs (syslog notation of path, process name, and process ID), identifying and parsing these logs can be difficult. To solve this problem, a UniFi specific input on the Graylog server and an Illuminate lookup override must be configured. This will allow Illuminate to treat every log sent to this input as a UniFi message by mapping the input ID to the Unifi Illuminate identification rule. This should be unique to UniFi to ensure this pack only processes UniFi logs.
Graylog Server Configuration
Create a new syslog input and choose an unused port. If an input already exists that only handles UniFi logs, use that input. If using a new or existing forwarder, create a new input as part of the forwarder setup process or use the input already associated with an existing forwarder.
Once created (or if it has already been created), click Show received messages to obtain the input ID (this will pull up a search window with the All Time timeframe. If there are a large number of logs, then you might want to adjust the timeframe to speed up the process.
Navigate to Enterprise >Illuminate and select the Customization tab.
lookup_adapter_input_routingtitle and click Edit on the right. For the
ubiquiti_unifi. For the
input_idvalue, enter the
gl2_source_inputID copied earlier.
Select Configure value to confirm.
Now, all logs sent to the configured input will be identified as a UniFi logs and will allow for proper Illuminate processing.
Enable remote logging in the UniFi Network Sytem settings page under Support.
Set Logging Levels to Auto.
The Remote Logging Location settings should be have Remote Server enabled, Syslog checked, and Host details filled out (remote IP and port). The port is especially important when configuring UniFi logging as it must match the port configured for the input above in the Graylog Server Configuration section.
What is Provided
Rules to normalize and enrich Ubiquiti UniFi log messages
Ubiquiti UniFi Log Message Processing
The Illuminate processing of UniFi log messages provides the following:
Field extraction, normalization, and message enrichment for UniFi log messages
GIM Categorization of the following messages:
|UniFi Log Type||GIM Category||GIM Subcategory|
|dnsmasq||name resolution||name resolution.dns request|
|dnsmasq||name resolution||name resolution.dns request, name resolution.dns answer|
Ubiquiti UniFi Spotlight Content Pack
Spotlight content for this pack does not exist at this time.