TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Firewall Syslog
ENVIRONMENT: Ubiquiti UniFi (USG, UXG, UDM)
SUMMARY: Configuration Guide for Ubiquiti UniFi firewalls
This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.
Vendor Information
Vendor |
UniFi / Ubiquiti |
|---|---|
Supported Model Name/Number |
USG, UXG, UDM ** |
Supported Software Version(s) |
UniFi Network Controller 5.11.39+ UniFi Network Application 6.2.25+ |
Collection Method |
Syslog |
Provider Name |
Syslog-Unifi Networks or Syslog-Ubiquiti |
Additional Information |
** - Please note that the Huntress SIEM parser is not fully compatible with UniFi AP's, switches, and gateways (excluding USG/UXG/UDM) due to Ubiquiti's lack of parity in syslog format across various devices. Because these logs are of limited security value we recommend using this KB to filter out AP, switch, and gateway data. Incompatible devices that send data to Huntress SIEM may be marked as "Syslog-Generic" or have their data rejected.
Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.
Please note the link in the Vendor Links above to the latest documentation at the time of this writing.
Please note, this documentation applies to UniFi Network Application (or UniFi Network Controller) version 8.4.59 and older.
Device Configuration Checklist (versions 8.5 and newer)
See UniFi Logging Configuration for 8.4 and older here.
Configure Control Plane Logging
Unifi Control Plane Integration logging sends platform level administrative events to the SIEM. It typically sends less messages, but includes critical configuration and Unifi device events.
- Open UniFi Network.
- Go to Settings > Control Plane.
- Navigate to the Integrations tab.
- In the Activity Logging (Syslog) section, enable the SIEM Server option.
- Set the Server Address and Port to the Internal IP of the designated Huntress Agent, and the configured Syslog UDP listening port of the agent.
- Under Categories, select Edit and enable the following categories:
- Admin Activity
- Critical
- Security Detections
- Triggers
- VPN
- Select Apply Changes.
Your changes here will now be applied to all UniFi devices within this Site. If you have multiple UniFi Sites, you need to repeat these steps for each Site.
Configure CyberSecure Traffic Logging
With Unifi 9.x logging has been split out between the Control Plane and CyberSecure. The majority of security related logs are now found within the CyberSecure Traffic Logging logs.
- Open UniFi Network.
- Go to Settings > CyberSecure.
- Navigate to the Traffic Logging tab.
- In the Activity Logging (Syslog) section, enable the SIEM Server option.
- Set the Server Address and Port to the IP of the designated Huntress Agent, and the configured Syslog UDP listening port of the agent.
- Under Categories, select Edit and enable any categories desired.
- Note that these categories are relatively new to Unifi and documentation on what's included in each category is sparse. Typically the Device and Client category account for the most log volume and have very little security value.
- Disable Debug Logs.
- Select Apply Changes.
Your changes here will now be applied to all UniFi devices within this Site. If you have multiple UniFi Sites, you need to repeat these steps for each Site.