UnifiOS UDM Pro

Ubiquiti Unifi Dream Machine Pro (UDM Pro) is an all-in-one networking console that runs every UniFi OS application, like Network and Protect. It has a built-in security gateway, 10G SFP+ WAN support, an 8-port Gigabit switch, and network video recorder that supports compatible 3.5" hard disk drives (HDDs).

Rule Function

This rule has two functions:

• SSH authorization messages are recognized and extra user tags are set.
• Some events are recognized as non-actionable and are marked accordingly.

Vendor Documentation

• UniFi Dream Machine Pro
• UDM-Pro Quick Start Guide

Ubiquiti Unifi log messages are essentially standard linux syslog messages, with the addition of a few messages from Unifi-specific programs.

Incoming Log Format

The incoming log format is that of standard linux syslog log messages. The Ubiquiti UDM Pro log messages are received as syslog data packets.

For the SSH logs, the user tags are set as follows:

SSH User Tags

Tagged	Tag Name	Example	Description
☑	program	SSH Auth	designation of ssh authorization
☑	user	root	linux user
☑	SrcIP	192.168.0.1	source IPv4 address
☑	SrcPort	12345	source port

Log Examples

UDM Child Connection (to be set non-actionable)

Child connection from 127.0.0.1:46230

UDM Parsed Request (to be set non-actionable)

04[ENC] parsed INFORMATIONAL_V1 request 2016269085 [ HASH N(DPD_ACK) ]

Firewall Log Message #1

DESCR="[WAN_LOCAL]Block All Other Tra" IN=eth8 OUT=
MAC=f4:92:bf:72:e4:fc:cc:79:d7:46:ce:af:08:00 SRC=80.64.30.221
DST=206.196.19.4 LEN=40 TOS=00 PREC=0x00 TTL=242 ID=55856 PROTO=TCP
SPT=44761 DPT=47838 SEQ=2867950570 ACK=0 WINDOW=1024 SYN URGP=0
MARK=1a0000

Firewall Log Message #2

DESCR="no rule description" IN=br10 OUT=
MAC=f4:92:bf:72:e4:fe:8a:7a:3b:e7:7f:31:08:00 SRC=192.168.10.151
DST=192.168.10.1 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=53957 DF PROTO=TCP
SPT=45132 DPT=443 SEQ=682224580 ACK=3544759213 WINDOW=4449 ACK URGP=0
UID=125 GID=132 MARK=1a0000

Firewall Log Message #3

[LAN_LOCAL-RET-2147483647] DESCR=\"no rule description\" IN=br10 OUT=
MAC=f4:92:bf:72:e4:fe:8a:7a:3b:e7:7f:31:08:00 SRC=192.168.10.151
DST=192.168.10.1 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=7571 DF PROTO=TCP
SPT=52776 DPT=443 SEQ=2957142958 ACK=2757071578 WINDOW=12949 ACK URGP=0
UID=125 GID=132 MARK=1a0000

mcad Log Message

mcad[3886]: mcad[3886]: udapi_cache.udapi_cache_set_global_update_interval():
Bumping global update interval :: interval=20000msec->23000msec

Understanding Unifi-OS and Linux Integration

Ubiquiti devices run Unifi-OS, which is a derivative of Linux that includes standard Linux programs such as iptables. Messages are processed by standard Linux processing rules from other LogZilla apps, such as: - iptables (for firewall logs) - dhcpd (for DHCP logs) - pam (for authentication logs) - bind (for DNS logs) - Other standard Linux program logs

However, by using a dedicated port for Unifi devices, the Unifi-OS Linux messages can be segregated from other non-Ubiquiti Linux implementations. This approach allows the Ubiquiti dashboard to segregate Unifi devices from other Linux devices while still benefiting from the detailed processing of standard Linux log formats.

Program Names for Standard Unifi-OS Sevices

• iptables – Firewall and NAT filtering; log messages originate directly from iptables.
• dhcpd – If a dedicated DHCP daemon is in use
• dnsmasq – Often used as a combined DHCP/DNS service
• sshd or dropbear – For SSH remote access, log messages are typically from sshd (common on full-featured systems) or from dropbear (common on resource-constrained devices).
• ntpd or systemd-timesyncd – Time synchronization services log via ntpd or systemd-timesyncd.
• kernel – Kernel-generated messages (often seen in system logs under "kernel").
• systemd – If systemd is used for service management, its activity (and that of its units) appears under systemd.
• rsyslogd or syslog-ng – Depending on the logging daemon in use, log aggregation messages might be produced by rsyslogd or syslog-ng.
• containerd (or similar) – In containerized environments, container runtimes such as containerd may appear in log messages.

Required Apps

To fully process Unifi-OS logs, you must first install the following LogZilla apps:

• Linux__iptables App (For processing firewall logs)
• Linux__dhcpd App (For processing DHCP logs)

In the future there may be more linux-oriented LogZilla apps that will be useful with Unifi-OS.

Without these additional Linux apps, Unifi logs will be identified as originating from Unifi-OS but won't receive the detailed parsing and tagging for the specific Linux programs running on the devices.

Setting Up Dedicated Ports for Unifi

LogZilla supports dedicated syslog ports for specific device types, which can improve performance and allow for better event processing. This guide explains how to set up dedicated syslog sources for Unifi devices.

Configuration Steps

1. Edit the syslog-ng Configuration

Open the syslog-ng configuration file:

# Open the config file with your preferred editor
nano /etc/logzilla/syslog-ng/config.yaml

2. Add Custom Unifi Sources

In the sources section of the file, add a new entry for TCP and optionally UDP:

sources:
  # ... existing sources will be here ...

  # Add TCP source for Unifi
  - name: unifi
    enabled: true
    type: network
    port: 5514    # Choose an unused port
    transport: tcp
    source_tag: unifi

  # Optional: Add UDP source for Unifi
  - name: unifi_udp
    enabled: true
    type: network
    port: 5514    # Usually the same port as TCP
    transport: udp
    source_tag: unifi

The key point is the source_tag: unifi in the syslog-ng configuration, which matches the SOURCE_FILTER = "unifi" in the Unifi rule. This association ensures that: 1. Only events from the dedicated Unifi port will be processed by the Unifi rule 2. Events from other sources will not unnecessarily go through the Unifi processing 3. The parser automatically handles the connection between source_tag and SOURCE_FILTER without needing additional configuration

3. Restart Syslog to Apply Changes

Restart the syslog service to apply the configuration:

logzilla restart -c syslog
logzilla restart -c parsermodule

4. Configure Your Unifi Devices

Configure your Unifi devices to send logs to these dedicated ports:

1. Log in to your Unifi Controller or device admin interface
2. Navigate to Settings > System > Advanced
3. Under Remote Logging, enable "Remote Logging"
4. Enter your LogZilla server IP address
5. Set the port to your dedicated port (e.g., 5514)
6. Select the appropriate protocol (TCP or UDP)
7. Save your settings

5. Verify Configuration

To verify that logs are being received on the dedicated ports, check the Ubiquiti Unifi OS dashboard.

Troubleshooting

If you don't see Unifi logs after configuration:

1. Verify the syslog-ng process is running:

   logzilla status
   

2. Check syslog-ng logs for any configuration errors:

   docker logs logzilla_syslog
   

3. Check that your port is accessible (not blocked by firewall):

   nc -zv your_logzilla_server 5514
   

4. Enable debug logging temporarily to see incoming connections:

   # Edit the syslog-ng configuration to enable debug options
   logzilla config syslog_debug 1
   
   # After editing, restart syslog
   logzilla restart -c syslog
   

View the logs using

sudo tail -F /var/log/logzilla/syslog/debug.log

Once troubleshooting is complete, debug logging should be disabled, since it generates extra load on the syslog process and can quickly fill up disk:

logzilla config syslog_debug 0.

See Debugging Event Reception for more information.

1. Test sending a log message directly to the configured port:

   # Using logger command to test (from another Linux machine)
   logger -n your_logzilla_server -P 5514 -T -d "Test message from Unifi device"
   

2. Verify that your Unifi device is configured correctly to send logs to the right IP and port