Understanding UniFi Syslog for Your SIEM
UniFi devices, such as switches, access points, and gateways, send syslog messages directly from the device itself to your configured Huntress syslog collector. The UniFi Network Application is only used to configure the syslog settings for the devices; it does not collect or forward the logs.
How It Works
The UniFi ecosystem operates on a principle of centralized management but decentralized data flow for syslog.
- Centralized Configuration: You use the UniFi Network Application (whether it's on a Cloud Key, UDM, UDR, Hostifi, or a self-hosted server) to manage your network. When you enable remote syslog logging within the application's settings, you are creating a configuration profile.
- Configuration Push: The UniFi Network Application then "pushes" this configuration down to each UniFi device adopted into that site.
- Direct Syslog Transmission: Each individual UniFi device (e.g., your UAP-AC-PRO, USW-24-PoE, etc.) receives this setting and begins sending its syslog data directly to the IP address of the syslog server you specified.
This means the UniFi Network Application is not a syslog proxy or forwarder. The logs come straight from the source device.
Key Takeaways 📝
- Source IP Address: The source IP address for syslog messages will always be the IP address of the individual UniFi device, not the IP of your UniFi Network Application controller.
- All-or-Nothing Logging: The remote logging setting is sent to all UniFi devices on a site. There is no way within the UniFi Application to disable logs from specific device types (e.g., only access points or only switches). This is a limitation of the UniFi platform, not your SIEM.
-
Firewall Rules: Ensure your firewall allows traffic from your UniFi devices' network/VLAN to your syslog server on the specified port (typically UDP port
514). You must allow traffic from the devices themselves, not just the controller. You can find an example rule here.
Common Questions & Troubleshooting
Since Wireless Access Points and Switches do not provide useful security logs, many partners prefer to not collect them. Using the steps below will allow you to control which devices send logs to Huntress SIEM. Note that UDM devices may send AP/Switch logs from the same IP as the firewall since those elements are embedded in the UDM.
Why am I seeing multiple source IPs for one device?
You might see logs for a single access point (AP) coming from two different IP addresses. This is normal behavior for devices configured with a static IP.
- When the AP boots up, it first gets an address via DHCP and immediately begins sending logs from that IP.
- Shortly after, it applies its static IP configuration and begins sending logs from the new, static IP.
This is how the device functions and is not a SIEM or Huntress limitation. Using a DHCP reservation for the device instead of a manually configured static IP may prevent this behavior.
How can I stop receiving logs from specific devices?
Since you can't filter by device type in the UniFi Application, the best way to control which logs you receive is on your syslog server's firewall. You can create a firewall rule that only permits syslog traffic from the specific IP addresses you want to monitor.
For example, using Windows Defender Firewall:
- Find the inbound rule that allows syslog traffic (e.g., for UDP port
514). If using our example firewall rule, it will be named "Allow Huntress Syslog Collection." - Open the rule's Properties and go to the Scope tab.
- Under the Remote IP addresses section, select "These IP addresses" and add the IPs of the devices you want to receive logs from (like your edge firewall/UDM).
Any device whose IP is not on this list will have its syslog messages dropped by the firewall, preventing them from reaching Huntress SIEM.