Ubiquiti

LogZilla App Store application: Ubiquiti

Overview

Ubiquiti UniFi Dream Machine Pro (UDM Pro) is an all-in-one networking console that runs UniFi OS applications, including Network and Protect. It features a built-in security gateway, 10G SFP+ WAN support, an 8-port Gigabit switch, and network video recorder support.

Critical Configuration Requirement

BEFORE using this app, Ubiquiti devices MUST be configured to send logs to a dedicated LogZilla port.

UniFi devices use non-standard syslog formatting that requires special handling. Sending logs to the standard syslog port (514) will result in parsing failures.

Required Configuration:

  • Dedicated syslog port (e.g., 5514) configured in LogZilla
  • Ubiquiti devices configured to send logs to this dedicated port
  • Required Linux apps installed (see below)

Next Steps: See the "Setting Up Dedicated Ports" section below for complete configuration instructions.

Required Dependencies

IMPORTANT: Install these LogZilla apps BEFORE configuring Ubiquiti logging:

  • Linux__iptables App - Required for processing firewall logs
  • Linux__dhcpd App - Required for processing DHCP logs

Without these apps, Ubiquiti logs will be identified but won't receive detailed parsing and tagging for specific Linux services.

App Function

The Ubiquiti app performs the following functions:

  1. SSH Authorization Processing: Recognizes SSH authorization messages and creates user tags for authentication tracking
  2. Event Filtering: Identifies non-actionable events and marks them accordingly to reduce noise

Vendor Documentation

Ubiquiti Unifi log messages are essentially standard linux syslog messages, with the addition of a few messages from Unifi-specific programs.

Incoming Log Format

The incoming log format is that of standard linux syslog log messages. The Ubiquiti UDM Pro log messages are received as syslog data packets.

For the SSH logs, the user tags are set as follows:

SSH User Tags

TaggedTag NameExampleDescription
programSSH Authdesignation of ssh authorization
userrootlinux user
SrcIP192.168.0.1source IPv4 address
SrcPort12345source port

Log Examples

UDM Child Connection (to be set non-actionable)

text
Child connection from 127.0.0.1:46230

UDM Parsed Request (to be set non-actionable)

text
04[ENC] parsed INFORMATIONAL_V1 request 2016269085 [ HASH N(DPD_ACK) ]

Firewall Log Message #1

text
DESCR="[WAN_LOCAL]Block All Other Tra" IN=eth8 OUT=
MAC=f4:92:bf:72:e4:fc:cc:79:d7:46:ce:af:08:00 SRC=80.64.30.221
DST=206.196.19.4 LEN=40 TOS=00 PREC=0x00 TTL=242 ID=55856 PROTO=TCP
SPT=44761 DPT=47838 SEQ=2867950570 ACK=0 WINDOW=1024 SYN URGP=0
MARK=1a0000

Firewall Log Message #2

text
DESCR="no rule description" IN=br10 OUT=
MAC=f4:92:bf:72:e4:fe:8a:7a:3b:e7:7f:31:08:00 SRC=192.168.10.151
DST=192.168.10.1 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=53957 DF PROTO=TCP
SPT=45132 DPT=443 SEQ=682224580 ACK=3544759213 WINDOW=4449 ACK URGP=0
UID=125 GID=132 MARK=1a0000

Firewall Log Message #3

text
[LAN_LOCAL-RET-2147483647] DESCR=\"no rule description\" IN=br10 OUT=
MAC=f4:92:bf:72:e4:fe:8a:7a:3b:e7:7f:31:08:00 SRC=192.168.10.151
DST=192.168.10.1 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=7571 DF PROTO=TCP
SPT=52776 DPT=443 SEQ=2957142958 ACK=2757071578 WINDOW=12949 ACK URGP=0
UID=125 GID=132 MARK=1a0000

MCAD Log Message

text
mcad[3886]: mcad[3886]: udapi_cache.udapi_cache_set_global_update_interval():
Bumping global update interval :: interval=20000msec->23000msec

UniFi OS and Linux Integration

Ubiquiti devices run UniFi OS, a Linux derivative that includes standard Linux programs. The dedicated port approach allows LogZilla to:

  • Segregate UniFi devices from other Linux implementations
  • Benefit from detailed processing of standard Linux log formats
  • Provide unified dashboards for Ubiquiti-specific insights

Standard UniFi OS Services

  • iptables - Firewall and NAT filtering
  • dhcpd - DHCP daemon (if dedicated DHCP is used)
  • dnsmasq - Combined DHCP/DNS service
  • sshd/dropbear - SSH remote access
  • ntpd/systemd-timesyncd - Time synchronization
  • kernel - Kernel-generated messages
  • systemd - Service management
  • rsyslogd/syslog-ng - Log aggregation

Setting Up Dedicated Ports for Ubiquiti

LogZilla supports dedicated syslog ports for specific device types, which can improve performance and allow for better event processing. This guide explains how to set up dedicated syslog sources for Unifi devices.

Configuration Steps

1. Edit the syslog-ng Configuration

Open the syslog-ng configuration file:

bash
# Open the config file with your preferred editor
nano /etc/logzilla/syslog-ng/config.yaml

2. Add Custom Unifi Sources

In the sources section of the file, add a new entry for TCP and optionally UDP:

yaml
sources:
  # ... existing sources will be here ...
  
  # Add TCP source for Unifi
  - name: unifi
    enabled: true
    type: network
    port: 5514    # Choose an unused port
    transport: tcp
    source_tag: unifi
    
  # Optional: Add UDP source for Unifi
  - name: unifi_udp
    enabled: true
    type: network
    port: 5514    # Usually the same port as TCP
    transport: udp
    source_tag: unifi

The key point is the source_tag: unifi in the syslog-ng configuration, which matches the SOURCE_FILTER = "unifi" in the Unifi rule. This association ensures that:

  1. Only events from the dedicated Unifi port will be processed by the Unifi rule
  2. Events from other sources will not unnecessarily go through the Unifi processing
  3. The parser automatically handles the connection between source_tag and SOURCE_FILTER without needing additional configuration

3. Restart Syslog to Apply Changes

Restart the syslog service to apply the configuration:

bash
logzilla restart -c syslog
logzilla restart -c parsermodule

4. Configure Your Unifi Devices

Configure your Unifi devices to send logs to these dedicated ports:

  1. Log in to your Unifi Controller or device admin interface
  2. Navigate to Settings > System > Advanced
  3. Under Remote Logging, enable "Remote Logging"
  4. Enter your LogZilla server IP address
  5. Set the port to your dedicated port (e.g., 5514)
  6. Select the appropriate protocol (TCP or UDP)
  7. Save your settings

5. Verify Configuration

To verify that logs are being received on the dedicated ports, check the Ubiquiti Unifi OS dashboard.

Troubleshooting

If you don't see Unifi logs after configuration:

  1. Verify the syslog-ng process is running:

    bash
    logzilla status

  2. Check syslog-ng logs for any configuration errors:

    bash
    docker logs logzilla_syslog

  3. Check that your port is accessible (not blocked by firewall):

    bash
    nc -zv your_logzilla_server 5514

  4. Enable debug logging temporarily to see incoming connections:

    bash
    # Edit the syslog-ng configuration to enable debug options
logzilla config syslog_debug 1

# After editing, restart syslog
logzilla restart -c syslog

    View the logs using

    bash
    sudo tail -F /var/log/logzilla/syslog/debug.log

    Once troubleshooting is complete, debug logging should be disabled, since it generates extra load on the syslog process and can quickly fill up disk:

    bash
    logzilla config syslog_debug 0.

    See Syslog Troubleshooting for more information.

  5. Test sending a log message directly to the configured port:

    bash
    # Using logger command to test (from another Linux machine)
logger -n your_logzilla_server -P 5514 -T -d "Test message from Unifi device"

  6. Verify that your Unifi device is configured correctly to send logs to the right IP and port

Ubiquiti | LogZilla Documentation