Ubiquiti UniFi Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Ubiquiti UniFi is a family of monitoring products that range from wireless access points, routers, switches, security cameras, and controllers (cloud or on-prem), all working together to provide a cohesive overview of your environment. This technology pack processes UniFi syslog messages and CEF-formatted SIEM integration logs for UniFi OS, UniFi Network, and UniFi Protect by providing normalization and enrichment for common events of interest.

Supported Versions

  • UniFi OS 3.0+

  • UniFi Network 7.3+

  • UniFi Protect 2.7+

Requirements

  • Graylog 4.3.0+ with a valid Enterprise license

  • A dedicated syslog input configured for UniFi log delivery

  • Illuminate lookup override configured to map the input ID to ubiquiti_unifi

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Ubiquiti Unifi Messages"

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Ubiquiti Unifi Logs"

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Collection and Delivery

Due to the way UniFi controllers generate some logs (syslog notation of path, process name, and process ID), a UniFi-specific input and Illuminate lookup override must be configured. This maps the input ID to the UniFi identification rule so Illuminate treats every log on this input as a UniFi message.

Graylog Server Configuration: Create the Syslog Input

  1. Create a new syslog input and choose an unused port. If an input already exists that only handles UniFi logs, use that input.

  2. Select Received messages for the input on the inputs list.

  3. Copy the gl2_source_input value.

    View the gl2_source_input ID for an input

Graylog Server Configuration: Configure the Illuminate Override

  1. Navigate to Enterprise > Illuminate and select the Customization tab.

  2. Locate lookup_adapter_input_routing, then select Edit.

  3. Enter your custom values:

    • content_name: Enter ubiquiti_unifi.

    • input_id: Enter the gl2_source_input ID copied earlier.

    Dialog box to set custom values for input routing lookup adapter

  4. Select Configure value.

UniFi Syslog Configuration

  1. Enable remote logging in the UniFi Network System settings page under Support.

  2. Set Logging Levels to Auto.

  3. Under Remote Logging Location, enable Remote Server, check Syslog, and enter the Graylog server IP address and port matching the input configured above.

    Configuring connection details on the Unify Network System platform.

UniFi CEF / SIEM Integration (UniFi Network 8.5+)

UniFi Network 8.5+ supports CEF-formatted log export for IDS/IPS alerts, admin access, WiFi client events, and system events.

  1. In the UniFi Network Application, navigate to Settings > Control Plane > Integrations > Activity Logging.

  2. Select SIEM Server as the destination.

  3. Enter the Graylog server IP and the syslog input port.

  4. CEF-formatted logs are sent over syslog (UDP) to the configured input.

Hint: CEF logs are sent to the same syslog input as standard UniFi logs. No separate input is required.

Log Format Examples

UniFi devices send logs in syslog format with the AP/device name, MAC, model version, and daemon name.

DNS Query

APSomewhere f091234518f6,UAP-AC-Pro-Gen2-6.2.49+14111: dnsmasq[4797]: forwarded www.graylog.org to 10.10.10.10

Firewall

Houston-Office-DM-Pro [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br148 OUT= MAC=60:22:32:28:41:e5:d0:21:f9:96:fa:d8:08:00 SRC=10.148.153.76 DST=10.148.0.1 LEN=1500 TOS=00 PREC=0x00 TTL=64 ID=10151 DF PROTO=TCP SPT=33725 DPT=7550 SEQ=270903990 ACK=2412021963 WINDOW=913 ACK URGP=0

CEF IDS/IPS Alert

pandora CEF:0|Ubiquiti|UniFi Network|9.4.19|201|Threat Detected and Blocked|7|proto=TCP src=81.181.129.172 spt=54321 dst=192.168.0.233 dpt=443 UNIFIcategory=Security UNIFIsubCategory=Intrusion Prevention UNIFIhost=Office-UDM-Pro UNIFIdeviceMac=84:78:48:80:0d:86 UNIFIdeviceName=Office-UDM-Pro UNIFIdeviceModel=UDM-Pro UNIFIdeviceIp=192.168.0.1 UNIFIrisk=medium UNIFIipsSignature=ET DROP Dshield Block Listed Source group 1 UNIFIipsSignatureId=2402000 msg=A network intrusion attempt has been detected and blocked.

What is Provided

  • Field extraction, normalization, and message enrichment for UniFi syslog and CEF-formatted log messages.

  • CEF (Common Event Format) parsing for UniFi Network SIEM integration logs: IDS/IPS alerts, admin access, WiFi client events, system events.

  • GIM event type categorization and enforcement fields for supported Ubiquiti UniFi events (firewall, DNS, DHCP, IDS/IPS).

  • Spotlight: Ubiquiti UniFi Overview dashboard.

GIM Categorization

GIM event type categorization is provided for the following message types:

UniFi Log Type Condition gim_event_type_code GIM Category GIM Subcategory GIM Event Type
firewall All firewall events (allowed) 120000 network network.network_connection network connection
firewall Drop rules (-D- chain pattern) 120000 network network.network_connection network connection (blocked)
dnsmasq Query only (no response) 140000 name_resolution name_resolution.dns_request dns query
dnsmasq Query with response 140000|140200 name_resolution name_resolution.dns_request + dns_answer dns query + dns response
dnsmasq-dhcp DHCPDISCOVER 290200 dhcp dhcp.discovery dhcp discovery
dnsmasq-dhcp DHCPOFFER 290100 dhcp dhcp.offer dhcp offer
dnsmasq-dhcp DHCPREQUEST 290000 dhcp dhcp.request dhcp request
dnsmasq-dhcp DHCPACK 290300 dhcp dhcp.acknowledgement dhcp acknowledgement
dnsmasq-dhcp DHCPNAK 299999 dhcp dhcp.default dhcp default
CEF (event ID 201) IPS Threat Detected and Blocked 300000 detection detection.network_detection ids_detection

Ubiquiti UniFi Spotlight

This spotlight offers a dashboard with 1 tab:

Overview