UnifiOS UDM Pro
Ubiquiti Unifi Dream Machine Pro (UDM Pro) is an all-in-one networking console that runs every UniFi OS application, like Network and Protect. It has a built-in security gateway, 10G SFP+ WAN support, an 8-port Gigabit switch, and network video recorder that supports compatible 3.5" hard disk drives (HDDs).
Rule Function
This rule has two functions:
- SSH authorization messages are recognized and extra user tags are set.
- Some events are recognized as non-actionable and are marked accordingly.
Vendor Documentation
Ubiquiti Unifi log messages are essentially standard linux syslog messages, with the addition of a few messages from Unifi-specific programs.
Incoming Log Format
The incoming log format is that of standard linux syslog log messages. The Ubiquiti UDM Pro log messages are received as syslog data packets.
For the SSH logs, the user tags are set as follows:
SSH User Tags
Tagged | Tag Name | Example | Description |
---|---|---|---|
☑ | program |
SSH Auth |
designation of ssh authorization |
☑ | user |
root |
linux user |
☑ | SrcIP |
192.168.0.1 |
source IPv4 address |
☑ | SrcPort |
12345 |
source port |
Log Examples
UDM Child Connection (to be set non-actionable)
UDM Parsed Request (to be set non-actionable)
Firewall Log Message #1
DESCR="[WAN_LOCAL]Block All Other Tra" IN=eth8 OUT=
MAC=f4:92:bf:72:e4:fc:cc:79:d7:46:ce:af:08:00 SRC=80.64.30.221
DST=206.196.19.4 LEN=40 TOS=00 PREC=0x00 TTL=242 ID=55856 PROTO=TCP
SPT=44761 DPT=47838 SEQ=2867950570 ACK=0 WINDOW=1024 SYN URGP=0
MARK=1a0000
Firewall Log Message #2
DESCR="no rule description" IN=br10 OUT=
MAC=f4:92:bf:72:e4:fe:8a:7a:3b:e7:7f:31:08:00 SRC=192.168.10.151
DST=192.168.10.1 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=53957 DF PROTO=TCP
SPT=45132 DPT=443 SEQ=682224580 ACK=3544759213 WINDOW=4449 ACK URGP=0
UID=125 GID=132 MARK=1a0000
Firewall Log Message #3
[LAN_LOCAL-RET-2147483647] DESCR=\"no rule description\" IN=br10 OUT=
MAC=f4:92:bf:72:e4:fe:8a:7a:3b:e7:7f:31:08:00 SRC=192.168.10.151
DST=192.168.10.1 LEN=52 TOS=00 PREC=0x00 TTL=63 ID=7571 DF PROTO=TCP
SPT=52776 DPT=443 SEQ=2957142958 ACK=2757071578 WINDOW=12949 ACK URGP=0
UID=125 GID=132 MARK=1a0000
mcad Log Message
mcad[3886]: mcad[3886]: udapi_cache.udapi_cache_set_global_update_interval():
Bumping global update interval :: interval=20000msec->23000msec
Understanding Unifi-OS and Linux Integration
Ubiquiti devices run Unifi-OS, which is a derivative of Linux that includes standard Linux programs such as iptables. Messages are processed by standard Linux processing rules from other LogZilla apps, such as: - iptables (for firewall logs) - dhcpd (for DHCP logs) - pam (for authentication logs) - bind (for DNS logs) - Other standard Linux program logs
However, by using a dedicated port for Unifi devices, the Unifi-OS Linux messages can be segregated from other non-Ubiquiti Linux implementations. This approach allows the Ubiquiti dashboard to segregate Unifi devices from other Linux devices while still benefiting from the detailed processing of standard Linux log formats.
Program Names for Standard Unifi-OS Sevices
- iptables – Firewall and NAT filtering; log messages originate directly from iptables.
- dhcpd – If a dedicated DHCP daemon is in use
- dnsmasq – Often used as a combined DHCP/DNS service
- sshd or dropbear – For SSH remote access, log messages are typically from sshd (common on full-featured systems) or from dropbear (common on resource-constrained devices).
- ntpd or systemd-timesyncd – Time synchronization services log via ntpd or systemd-timesyncd.
- kernel – Kernel-generated messages (often seen in system logs under "kernel").
- systemd – If systemd is used for service management, its activity (and that of its units) appears under systemd.
- rsyslogd or syslog-ng – Depending on the logging daemon in use, log aggregation messages might be produced by rsyslogd or syslog-ng.
- containerd (or similar) – In containerized environments, container runtimes such as containerd may appear in log messages.
Required Apps
To fully process Unifi-OS logs, you must first install the following LogZilla apps:
- Linux__iptables App (For processing firewall logs)
- Linux__dhcpd App (For processing DHCP logs)
In the future there may be more linux-oriented LogZilla apps that will be useful with Unifi-OS.
Without these additional Linux apps, Unifi logs will be identified as originating from Unifi-OS but won't receive the detailed parsing and tagging for the specific Linux programs running on the devices.
Setting Up Dedicated Ports for Unifi
LogZilla supports dedicated syslog ports for specific device types, which can improve performance and allow for better event processing. This guide explains how to set up dedicated syslog sources for Unifi devices.
Configuration Steps
1. Edit the syslog-ng Configuration
Open the syslog-ng configuration file:
2. Add Custom Unifi Sources
In the sources
section of the file, add a new entry for TCP and optionally UDP:
sources:
# ... existing sources will be here ...
# Add TCP source for Unifi
- name: unifi
enabled: true
type: network
port: 5514 # Choose an unused port
transport: tcp
source_tag: unifi
# Optional: Add UDP source for Unifi
- name: unifi_udp
enabled: true
type: network
port: 5514 # Usually the same port as TCP
transport: udp
source_tag: unifi
The key point is the source_tag: unifi
in the syslog-ng configuration, which
matches the SOURCE_FILTER = "unifi"
in the Unifi rule. This association
ensures that:
1. Only events from the dedicated Unifi port will be processed by the Unifi rule
2. Events from other sources will not unnecessarily go through the Unifi processing
3. The parser automatically handles the connection between source_tag and
SOURCE_FILTER without needing additional configuration
3. Restart Syslog to Apply Changes
Restart the syslog service to apply the configuration:
4. Configure Your Unifi Devices
Configure your Unifi devices to send logs to these dedicated ports:
- Log in to your Unifi Controller or device admin interface
- Navigate to Settings > System > Advanced
- Under Remote Logging, enable "Remote Logging"
- Enter your LogZilla server IP address
- Set the port to your dedicated port (e.g., 5514)
- Select the appropriate protocol (TCP or UDP)
- Save your settings
5. Verify Configuration
To verify that logs are being received on the dedicated ports, check the Ubiquiti Unifi OS dashboard.
Troubleshooting
If you don't see Unifi logs after configuration:
-
Verify the syslog-ng process is running:
-
Check syslog-ng logs for any configuration errors:
-
Check that your port is accessible (not blocked by firewall):
-
Enable debug logging temporarily to see incoming connections:
View the logs using
Once troubleshooting is complete, debug logging should be disabled, since it generates extra load on the syslog process and can quickly fill up disk:
See Debugging Event Reception for more information.
-
Test sending a log message directly to the configured port:
-
Verify that your Unifi device is configured correctly to send logs to the right IP and port