Ubiquiti

LogZilla App Store application: Ubiquiti

Overview

Ubiquiti UniFi devices support two types of syslog output:

  • Activity Logging - CEF-formatted logs for admin actions, client events, and system status (sent to port 5521)
  • Traffic Logging - Firewall/iptables logs for network traffic and security events (sent to dedicated port 5521)

App Function

  • Parse CEF-formatted logs from Ubiquiti UniFi devices
  • Parse iptables-formatted traffic logs from CyberSecure
  • Extract UniFi-specific metadata (category, client info, AP details)
  • Map standard CEF fields (src, dst, proto) to LogZilla tags
  • Map UniFi threat categories to MITRE ATT&CK techniques
  • Categorize events by type (security, network, system, auth, config)
  • Provide dashboards for monitoring UniFi infrastructure and threats

Vendor Documentation

LogZilla Configuration

Traffic Logging requires a dedicated syslog port.

  1. Navigate to Settings > System > Application Ports
  2. Set Ubiquiti UniFi syslog port to a dedicated port (e.g., 5521)
  3. Click Save

The syslog and parser services will reload automatically. Both TCP and UDP listeners are enabled on the configured port.

UniFi Configuration

UniFi has two separate logging configurations that must both be enabled.

Activity Logging (CEF Format)

Activity Logging sends CEF-formatted logs for admin actions, device events, and client activity.

  1. Navigate to Settings > Control Plane > Integrations
  2. Under Activity Logging (Syslog), select SIEM Server
  3. Click Edit and select all desired Categories
  4. Enable Include Raw Logs
  5. Enter the LogZilla server address in Server Address
  6. Set the Port to 5521
  7. Click Apply Changes

UniFi Activity Logging Configuration

Traffic Logging (CyberSecure)

Traffic Logging sends firewall and IPS logs in iptables format.

  1. Navigate to Settings > CyberSecure > Traffic Logging
  2. Under Flow Logging, select All Traffic or Blocked Traffic Only
  3. Enable desired Additional Flows (Gateway DNS, UniFi Services, etc.)
  4. Under Activity Logging (Syslog), select SIEM Server
  5. Select desired Contents categories
  6. Enter the LogZilla server address in Server Address
  7. Set the Port to 5521
  8. Click Apply Changes

UniFi Traffic Logging Configuration

Verification

Generate test traffic or trigger a configuration change, then verify events appear in LogZilla with CEF Vendor tag set to Ubiquiti for Activity Logs, or Source Type tag set to unifi-os for Traffic Logs.

Incoming Log Format

UniFi devices send logs in Common Event Format (CEF):

text
CEF:0|Ubiquiti|UniFi Network|9.3.33|401|WiFi Client Disconnected|2|
UNIFIcategory=Monitoring UNIFIsubCategory=WiFi UNIFIhost=Office UDM Pro
UNIFIclientMac=aa:bb:cc:dd:ee:ff UNIFIssid=Corporate-WiFi
  • Version - CEF version (always 0)
  • Vendor - Device vendor (Ubiquiti)
  • Product - Product name (UniFi Network, UniFi OS)
  • Version - Product version
  • Event ID - Event type identifier
  • Name - Event description
  • Severity - Event severity (0-10)

Parsed Metadata Fields

Tag NameExampleDescription
VendorUbiquitiVendor identifier
ProductUniFiProduct identifier
Event ClasssecurityCross-vendor event classification
Event TypeSettings ChangeSpecific event type for triggering
SrcIP10.0.0.100Source IP address (client)
DstIP192.168.0.233Destination IP address (device/AP)
SrcMACaa:bb:cc:dd:ee:ffSource MAC address (client)
DstMAC00:11:22:33:44:55Destination MAC address (AP/device)
DstPorthttpsDestination port service name
ProtocolTCPNetwork protocol
UseradminUsername
UniFi CategorySecurityUniFi event category
UniFi SubCategoryThreatUniFi event subcategory
UniFi Device NameLobby-APConnected device/AP name
UniFi Client NameiPhoneClient hostname
UniFi SSIDCorporate-WiFiWiFi network name
UniFi Threat TypeMalwareThreat classification
UniFi Threat CategoryCommand and ControlThreat category

Log Examples

WiFi Client Connected

text
CEF:0|Ubiquiti|UniFi Network|9.3.33|400|WiFi Client Connected|2|
UNIFIcategory=Monitoring UNIFIsubCategory=WiFi UNIFIhost=Office UDM Pro
UNIFIclientMac=aa:bb:cc:dd:ee:ff UNIFIclientName=iPhone
UNIFIssid=Corporate-WiFi UNIFIapName=Lobby-AP

Threat Detected

text
CEF:0|Ubiquiti|UniFi Network|9.4.19|201|Threat Detected and Blocked|7|
proto=TCP src=10.0.0.100 spt=52331 dst=192.168.0.233 dpt=443
UNIFIcategory=Security UNIFIsubCategory=Threat
UNIFIthreatType=Malware UNIFIthreatCategory=Command and Control

Admin Login

text
CEF:0|Ubiquiti|UniFi OS|4.3.6|admins|1|
msg=admin changed the Syslog Settings network
UNIFIcategory=System UNIFIsubCategory=Admin
Ubiquiti | LogZilla Documentation