The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Hint: This content pack was first released in Illuminate v3.2.0.

Ubiquiti UniFi is a family of monitoring products that range from wireless access points, routers, switches, security cameras, and controllers (cloud or on-prem), all working together to provide a cohesive overview of your environment. This technology pack will process UniFi log messages for UniFi OS, UniFi Network, and UniFi Protect by providing normalization and enrichment for common events of interest.

Requirement(s)

  • UniFi devices running UniFi OS 3.0+, Network 7.3+, and Protect 2.7+

  • Graylog Server with a valid enterprise license, running Graylog version 4.3.0 or later

Warning This spotlight requires a more recent version of Graylog due to a change in functionality. Fields will be improperly processed if using a version earlier than Graylog 4.3.0.

Not Supported

  • N/A

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Ubiquiti UniFi Messages”

Hint: If this stream does not exist prior to the activation of this pack, then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • “Ubiquiti Unifi Logs”

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

APSomewhere f091234518f6,UAP-AC-Pro-Gen2-6.2.49+14111: dnsmasq[4797]: forwarded www.graylog.org to 10.10.10.10

APAnywhere f09fc2dc18f6,UAP-AC-Pro-Gen2-6.2.49+14111: /usr/sbin/hostapd[16441]: WPA: Encrypt Key Data using AES-WRAP (KEK length 16)

Configuration Requirements

Due to the way UniFi controllers (e.g. Dream Machine Pro) generate some logs (syslog notation of path, process name, and process ID), identifying and parsing these logs can be difficult. To solve this problem, a UniFi specific input on the Graylog server and an Illuminate lookup override must be configured. This will allow Illuminate to treat every log sent to this input as a UniFi message by mapping the input ID to the Unifi Illuminate identification rule. This should be unique to UniFi to ensure this pack only processes UniFi logs.

Graylog Server Configuration

  1. Create a new syslog input and choose an unused port. If an input already exists that only handles UniFi logs, use that input. If using a new or existing forwarder, create a new input as part of the forwarder setup process or use the input already associated with an existing forwarder.

  2. Once created (or if it has already been created), click Show received messages to obtain the input ID (this will pull up a search window with the All Time timeframe. If there are a large number of logs, then you might want to adjust the timeframe to speed up the process.

  3. Copy the gl2_source_input value.

  4. Navigate to Enterprise >Illuminate and select the Customization tab.

  5. Locate the lookup_adapter_input_routing title and click Edit on the right. For the content_name key, enter ubiquiti_unifi . For the input_id value, enter the gl2_source_input ID copied earlier.

  6. Select Configure value to confirm.

Now, all logs sent to the configured input will be identified as a UniFi logs and will allow for proper Illuminate processing.

UniFi Configuration

  1. Enable remote logging in the UniFi Network Sytem settings page under Support.

  2. Set Logging Levels to Auto.

  3. The Remote Logging Location settings should be have Remote Server enabled, Syslog checked, and Host details filled out (remote IP and port). The port is especially important when configuring UniFi logging as it must match the port configured for the input above in the Graylog Server Configuration section.

What is Provided

  • Rules to normalize and enrich Ubiquiti UniFi log messages

Ubiquiti UniFi Log Message Processing

The Illuminate processing of UniFi log messages provides the following:

  • Field extraction, normalization, and message enrichment for UniFi log messages

  • GIM Categorization of the following messages:

UniFi Log Type GIM Category GIM Subcategory
firewall network network.default
dnsmasq name resolution name resolution.dns request
dnsmasq name resolution name resolution.dns request, name resolution.dns answer
dnsmasq-dhcp dhcp dhcp.request
dnsmasq-dhcp dhcp dhcp.discovery
dnsmasq-dhcp dhcp dhcp.offer
dnsmasq-dhcp dhcp dhcp.acknowledgement
dnsmasq-dhcp dhcp dhcp.default

Ubiquiti UniFi Spotlight Content Pack

  • Spotlight content for this pack does not exist at this time.